Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article is a reference for the settings that are available in the Windows Mobile Device Management (MDM) security baseline for Microsoft Intune.
About this reference article
Each security baseline is a group of preconfigured Windows settings that help you apply and enforce granular security settings that the relevant security teams recommend. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration settings.
The details that display in this article are based on baseline version you select at the top of the article. For each version, this article displays:
- A list of each setting with its configuration as found in the default instance of that baseline version.
- When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use.
When a new version of a baseline becomes available, it replaces the previous version. Profile instances that you’ve created prior to the availability of a new version:
- Become read-only. You can continue to use those profiles but can't edit them to change their configuration.
- Can be updated to the current version. After you update a profile to the current baseline version, you can edit the profile to modify settings.
To learn more about using security baselines, see:
Security Baseline for Windows, version 24H2
The settings in this baseline are taken from the Windows 11 version 24H2 security baseline as found in the Security Compliance Toolkit and Baselines from the Microsoft Download Center, and include only the settings that apply to Windows devices managed through Intune. When available, the setting name links to the source Configuration Service Provider (CSP), and then displays that settings default configuration in the baseline.
Administrative Templates
Control Panel > Personalization
- Prevent enabling lock screen camera 
 Baseline default: Enabled
 Learn more
- Prevent enabling lock screen slide show 
 Baseline default: Enabled
 Learn more
MS Security Guide
- Apply UAC restrictions to local accounts on network logons 
 Baseline default: Enabled
 Learn more
- Configure SMB v1 client driver 
 Baseline default: Enabled
 Learn more- Configure MrxSmb10 driver
 Baseline default: Disable driver (recommended)
 
- Configure MrxSmb10 driver
- Configure SMB v1 server 
 Baseline default: Disabled
 Learn more
- Enable Structured Exception Handling Overwrite Protection (SEHOP) 
 Baseline default: Enabled
 Learn more
- WDigest Authentication (disabling may require KB2871997) 
 Baseline default: Disabled
 Learn more
MSS (Legacy)
- MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) 
 Baseline default: Enabled
 Learn more- DisableIPSourceRouting IPv6 (Device)
 Baseline default: Highest protection, source routing is completely disabled
 
- DisableIPSourceRouting IPv6 (Device)
- MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) 
 Baseline default: Enabled
 Learn more- DisableIPSourceRouting (Device)
 Baseline default: Highest protection, source routing is completely disabled
 
- DisableIPSourceRouting (Device)
- MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes 
 Baseline default: Disabled
 Learn more
- MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers 
 Baseline default: Enabled
 Learn more
Network > DNS Client
- Turn off multicast name resolution
 Baseline default: Enabled
 Learn more
Network > Network Connections
- Prohibit use of Internet Connection Sharing on your DNS domain network
 Baseline default: Enabled
 Learn more
Network > Network Provider
- Hardened UNC Paths
 Baseline default: Enabled
 Learn more- Hardened UNC Paths: (Device) 
 Baseline defaults:- Name - Value - \\*\SYSVOL- RequireMutualAuthentication=1,RequireIntegrity=1 - \\*\NETLOGON- RequireMutualAuthentication=1,RequireIntegrity=1 
 
Network > Windows Connection Manager
- Prohibit connection to non-domain networks when connected to domain authenticated network
 Baseline default: Enabled
 Learn more
Printers
- Configure Redirection Guard 
 Baseline default: Enabled Learn more- Redirection Guard Options (Device)
 Baseline default: Redirection Guard Enabled
 
- Redirection Guard Options (Device)
- Configure RPC connection settings 
 Baseline default: Enabled
 Learn more- Use authentication for outgoing RPC connections: (Device)
 Baseline default: Default
- Protocol to allow for incoming RPC connections: (Device)
 Baseline default: RPC over TCP
 
- Use authentication for outgoing RPC connections: (Device)
- Configure RPC listener settings 
 Baseline default: Enabled
 Learn more- Protocols to allow for incoming RPC connections: (Device)
 Baseline default: RCP over TCP
- Authentication protocol to use for incoming RPC connections: (Device)
 Baseline default: Negotiate
 
- Protocols to allow for incoming RPC connections: (Device)
- Configure RPC over TPC port 
 Baseline default: Enabled
 Learn more- RPC over TCP port (Device)
 Baseline default: 0
 
- RPC over TCP port (Device)
- Limits print driver installation to Administrators 
 Baseline default: Enabled
 Learn more
- Manage processing of Queue-specific files 
 Baseline default: Enabled
 Learn more- Manage processing of Queue-specific files: (Device)
 Baseline default: Limit Queue-specific files to Color profiles
 
- Manage processing of Queue-specific files: (Device)
Start Menu and Taskbar > Notifications
- Turn off toast notifications on the lock screen (User)
 Baseline default: Enabled
 Learn more
System > Credentials Delegation
- Encryption Oracle Remediation 
 Baseline default: Enabled
 Learn more- Protection Level: (Device)
 Baseline default: Force Updated Clients
 
- Protection Level: (Device)
- Remote host allows delegation of non-exportable credentials 
 Baseline default: Enabled
 Learn more
System > Device Installation > Device Installation Restrictions
- Prevent installation of devices using drivers that match these device setup classes
 Baseline default: Enabled
 Learn more- Also apply to matching devices that are already installed
 Baseline default: True
- Prevented Classes
 Baseline default: {d48179be-ec20-11d1-b6b8-00c04fa372a7}
 
- Also apply to matching devices that are already installed
System > Early Launch Antimalware
- Boot-Start Driver Initialization Policy
 Baseline default: Enabled
 Learn more- Choose the boot-start drivers that can be initialized:
 Baseline default: Good, unknown and bad but critical
 
- Choose the boot-start drivers that can be initialized:
System > Group Policy
- Configure registry policy processing
 Baseline default: Enabled
 Learn more- Do not apply during periodic background processing (Device)
 Baseline default: False
- Process even if the Group Policy objects have not changed (Device)
 Baseline default: True
 
- Do not apply during periodic background processing (Device)
System > Internet Communication Management > Internet Communication settings
- Turn off downloading of print drivers 
 Baseline default: Enabled
 Learn more
- Turn off Internet download for Web publishing and online ordering wizards 
 Baseline default: Enabled
 Learn more
System > Local Security Authority
- Allow Custom SSPs and APs to be loaded into LSASS
 Baseline default: Disabled
 Learn more
System > Power Management > Sleep Settings
- Allow standby states (S1-S3) when sleeping (on battery) 
 Baseline default: Disabled
 Learn more
- Allow standby states (S1-S3) when sleeping (plugged in) 
 Baseline default: Disabled
 Learn more
- Require a password when a computer wakes (on battery) 
 Baseline default: Enabled
 Learn more
- Require a password when a computer wakes (plugged in) 
 Baseline default: Enabled
 Learn more
System > Remote Assistance
- Configure Solicited Remote Assistance
 Baseline default: Disabled
 Learn more
System > Remote Procedure Call
- Restrict Unauthenticated RPC clients
 Baseline default: Enabled
 Learn more- RPC Runtime Unauthenticated Client Restriction to Apply:
 Baseline default: Authenticated
 
- RPC Runtime Unauthenticated Client Restriction to Apply:
Windows Components > App runtime
- Allow Microsoft accounts to be optional
 Baseline default: Enabled
 Learn more
Windows Components > AutoPlay Policies
- Disallow Autoplay for non-volume devices 
 Baseline default: Enabled
 Learn more
- Set the default behavior for AutoRun 
 Baseline default: Enabled
 Learn more- Default AutoRun Behavior
 Baseline default: Do not execute any autorun commands
 
- Default AutoRun Behavior
- Turn off Autoplay 
 Baseline default: Enabled
 Learn more- Turn off Autoplay on:
 Baseline default: All drives
 
- Turn off Autoplay on:
Windows Components > BitLocker Drive Encryption > Fixed Data Drives
- Deny write access to fixed drives not protected by BitLocker
 Baseline default: Disabled
 Learn more
Windows Components > BitLocker Drive Encryption > Removable Data Drives
- Deny write access to removable drives not protected by BitLocker
 Baseline default: Enabled
 Learn more- Do not allow write access to devices configured in another organization
 Baseline default: False
 
- Do not allow write access to devices configured in another organization
Windows Components > Credential User Interface
- Enumerate administrator accounts on elevation
 Baseline default: Disabled
 Learn more
Windows Components > Event Log Service > Application
- Specify the maximum log file size (KB)
 Baseline default: Enabled
 Learn more- Maximum Log Size (KB)
 Baseline default: 32768
 
- Maximum Log Size (KB)
Windows Components > Event Log Service > Security
- Specify the maximum log file size (KB)
 Baseline default: Enabled
 Learn more- Maximum Log Size (KB)
 Baseline default: 196608
 
- Maximum Log Size (KB)
Windows Components > Event Log Service > System
- Specify the maximum log file size (KB)
 Baseline default: Enabled
 Learn more- Maximum Log Size (KB)
 Baseline default: 32768
 
- Maximum Log Size (KB)
Windows Components > File Explorer
- Configure Windows Defender SmartScreen 
 Baseline default: Enabled
 Learn more- Pick one of the following settings: (Device)
 Baseline default: Warn and prevent bypass
 
- Pick one of the following settings: (Device)
- Turn off Data Execution Prevention for Explorer 
 Baseline default: Disabled
 Learn more
- Turn off heap termination on corruption 
 Baseline default: Disabled
 Learn more
Windows Components > Internet Explorer > Internet Control Panel > Advanced Page
- Allow software to run or install even if the signature is invalid 
 Baseline default: Disabled
 Learn more
- Check for server certificate revocation 
 Baseline default: Enabled
 Learn more
- Check for signatures on downloaded programs 
 Baseline default: Enabled
 Learn more
- Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled 
 Baseline default: Enabled
 Learn more
- Turn off encryption support 
 Baseline default: Enabled
 Learn more- Secure Protocol combinations
 Baseline default: Use TLS 1.1 and TLS 1.2
 
- Secure Protocol combinations
- Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows 
 Baseline default: Enabled
 Learn more
- Turn on Enhanced Protected Mode 
 Baseline default: Enabled
 Learn more
Windows Components > Internet Explorer > Internet Control Panel
- Prevent ignoring certificate errors
 Baseline default: Enabled
 Learn more
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
- Access data sources across domains 
 Baseline default: Enabled
 Learn more- Access data sources across domains
 Baseline default: Disable
 
- Access data sources across domains
- Allow cut, copy or paste operations from the clipboard via script 
 Baseline default: Enabled
 Learn more- Allow paste operations via script
 Baseline default: Disable
 
- Allow paste operations via script
- Allow drag and drop or copy and paste files 
 Baseline default: Enabled
 Learn more- Allow drag and drop or copy and paste files
 Baseline default: Disable
 
- Allow drag and drop or copy and paste files
- Allow loading of XAML files 
 Baseline default: Enabled
 Learn more- XAML Files
 Baseline default: Disable
 
- XAML Files
- Allow only approved domains to use ActiveX controls without prompt 
 Baseline default: Enabled
 Learn more- Only allow approved domains to use ActiveX controls without prompt
 Baseline default: Enable
 
- Only allow approved domains to use ActiveX controls without prompt
- Allow only approved domains to use the TDC ActiveX control 
 Baseline default: Enabled
 Learn more- Only allow approved domains to use the TDC ActiveX control
 Baseline default: Enable
 
- Only allow approved domains to use the TDC ActiveX control
- Allow script-initiated windows without size or position constraints 
 Baseline default: Enabled
 Learn more- Allow script-initiated windows without size or position constraints
 Baseline default: Disable
 
- Allow script-initiated windows without size or position constraints
- Allow scripting of Internet Explorer WebBrowser controls 
 Baseline default: Enabled
 Learn more- Internet Explorer web browser control
 Baseline default: Disable
 
- Internet Explorer web browser control
- Allow scriptlets 
 Baseline default: Enabled
 Learn more- Scriptlets
 Baseline default: Disable
 
- Scriptlets
- Allow updates to status bar via script 
 Baseline default: Enabled
 Learn more- Status bar updates via script
 Baseline default: Disable
 
- Status bar updates via script
- Allow VBScript to run in Internet Explorer 
 Baseline default: Enabled
 Learn more- Allow VBScript to run in Internet Explorer
 Baseline default: Disable
 
- Allow VBScript to run in Internet Explorer
- Automatic prompting for file downloads 
 Baseline default: Enabled
 Learn more- Automatic prompting for file downloads
 Baseline default: Disable
 
- Automatic prompting for file downloads
- Don't run antimalware programs against ActiveX controls 
 Baseline default: Enabled
 Learn more- Don't run antimalware programs against ActiveX controls
 Baseline default: Disable
 
- Don't run antimalware programs against ActiveX controls
- Download signed ActiveX controls 
 Baseline default: Enabled
 Learn more- Download signed ActiveX controls
 Baseline default: Disable
 
- Download signed ActiveX controls
- Download unsigned ActiveX controls 
 Baseline default: Enabled
 Learn more- Download unsigned ActiveX controls
 Baseline default: Disable
 
- Download unsigned ActiveX controls
- Enable dragging of content from different domains across windows 
 Baseline default: Enabled
 Learn more- Enable dragging of content from different domains across windows
 Baseline default: Disable
 
- Enable dragging of content from different domains across windows
- Enable dragging of content from different domains within a window 
 Baseline default: Enabled
 Learn more- Enable dragging of content from different domains within a window
 Baseline default: Disable
 
- Enable dragging of content from different domains within a window
- Include local path when user is uploading files to a server 
 Baseline default: Enabled
 Learn more- Include local path when user is uploading files to a server
 Baseline default: Disable
 
- Include local path when user is uploading files to a server
- Initialize and script ActiveX controls not marked as safe 
 Baseline default: Enabled
 Learn more- Initialize and script ActiveX controls not marked as safe
 Baseline default: Disable
 
- Initialize and script ActiveX controls not marked as safe
- Java permissions 
 Baseline default: Enabled
 Learn more- Java permissions
 Baseline default: Disable Java
 
- Java permissions
- Launching applications and files in an IFRAME 
 Baseline default: Enabled
 Learn more- Launching applications and files in an IFRAME
 Baseline default: Disable
 
- Launching applications and files in an IFRAME
- Logon options 
 Baseline default: Enabled
 Learn more- Logon options
 Baseline default: Prompt for user name and password
 
- Logon options
- Navigate windows and frames across different domains 
 Baseline default: Enabled
 Learn more- Navigate windows and frames across different domains
 Baseline default: Disable
 
- Navigate windows and frames across different domains
- Run .NET Framework-reliant components not signed with Authenticode 
 Baseline default: Enabled
 Learn more- Run .NET Framework-reliant components not signed with Authenticode
 Baseline default: Disable
 
- Run .NET Framework-reliant components not signed with Authenticode
- Run .NET Framework-reliant components signed with Authenticode 
 Baseline default: Enabled
 Learn more- Run .NET Framework-reliant components signed with Authenticode
 Baseline default: Disable
 
- Run .NET Framework-reliant components signed with Authenticode
- Show security warning for potentially unsafe files 
 Baseline default: Enabled
 Learn more- Launching programs and unsafe files
 Baseline default: Prompt
 
- Launching programs and unsafe files
- Turn on Cross-Site Scripting Filter 
 Baseline default: Enabled
 Learn more- Turn on Cross-Site Scripting (XSS) Filter
 Baseline default: Enable
 
- Turn on Cross-Site Scripting (XSS) Filter
- Turn on Protected Mode 
 Baseline default: Enabled
 Learn more- Protected Mode
 Baseline default: Enable
 
- Protected Mode
- Turn on SmartScreen Filter scan 
 Baseline default: Enabled
 Learn more- Use SmartScreen Filter
 Baseline default: Enable
 
- Use SmartScreen Filter
- Use Pop-up Blocker 
 Baseline default: Enable
 Learn more- Use Pop-up Blocker
 Baseline default: Enable
 
- Use Pop-up Blocker
- Userdata persistence 
 Baseline default: Enabled
 Learn more- Userdata persistence
 Baseline default: Disable
 
- Userdata persistence
- Web sites in less privileged Web content zones can navigate into this zone 
 Baseline default: Enabled
 Learn more- Web sites in less privileged Web content zones can navigate into this zone
 Baseline default: Disable
 
- Web sites in less privileged Web content zones can navigate into this zone
Windows Components > Internet Explorer > Internet Control Panel > Security Page
- Intranet Sites: Include all network paths (UNCs) 
 Baseline default: Disabled
 Learn more
- Turn on certificate address mismatch warning 
 Baseline default: Enabled
 Learn more
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone
- Don't run antimalware programs against ActiveX controls 
 Baseline default: Enabled
 Learn more- Don't run antimalware programs against ActiveX controls
 Baseline default: Disable
 
- Don't run antimalware programs against ActiveX controls
- Initialize and script ActiveX controls not marked as safe 
 Baseline default: Enabled
 Learn more- Initialize and script ActiveX controls not marked as safe
 Baseline default: Disable
 
- Initialize and script ActiveX controls not marked as safe
- Java permissions 
 Baseline default: Enabled
 Learn more- Java permissions
 Baseline default: High safety
 
- Java permissions
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone
- Don't run antimalware programs against ActiveX controls 
 Baseline default: Enabled
 Learn more- Don't run antimalware programs against ActiveX controls
 Baseline default: Disable
 
- Don't run antimalware programs against ActiveX controls
- Java permissions 
 Baseline default: Enabled
 Learn more- Java permissions
 Baseline default: Disable Java
 
- Java permissions
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone
- Turn on SmartScreen Filter scan
 Baseline default: Enabled
 Learn more- Use SmartScreen Filter
 Baseline default: Enable
 
- Use SmartScreen Filter
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone
- Java permissions
 Baseline default: Enabled
 Learn more- Java permissions
 Baseline default: Disable Java
 
- Java permissions
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone
- Java permissions
 Baseline default: Enabled
 Learn more- Java permissions
 Baseline default: Disable Java
 
- Java permissions
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone
- Java permissions 
 Baseline default: Enabled
 Learn more- Java permissions
 Baseline default: Disable Java
 
- Java permissions
- Turn on SmartScreen Filter scan 
 Baseline default: Enabled
 Learn more- Use SmartScreen Filter
 Baseline default: Enable
 
- Use SmartScreen Filter
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone
- Java permissions
 Baseline default: Enabled
 Learn more- Java permissions
 Baseline default: Disable Java
 
- Java permissions
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
- Access data sources across domains 
 Baseline default: Enabled
 Learn more- Access data sources across domains
 Baseline default: Disable
 
- Access data sources across domains
- Allow active scripting 
 Baseline default: Enabled
 Learn more- Allow active scripting
 Baseline default: Disable
 
- Allow active scripting
- Allow binary and script behaviors 
 Baseline default: Enabled
 Learn more- Allow binary and script behaviors
 Baseline default: Disable
 
- Allow binary and script behaviors
- Allow cut, copy or paste operations from the clipboard via script 
 Baseline default: Enabled
 Learn more- Allow paste operations via script
 Baseline default: Disable
 
- Allow paste operations via script
- Allow drag and drop or copy and paste files 
 Baseline default: Enabled
 Learn more- Allow drag and drop or copy and paste files
 Baseline default: Disable
 
- Allow drag and drop or copy and paste files
- Allow file downloads 
 Baseline default: Enabled
 Learn more- Allow file downloads
 Baseline default: Disable
 
- Allow file downloads
- Allow loading of XAML files 
 Baseline default: Enabled
 Learn more- XAML Files
 Baseline default: Disable
 
- XAML Files
- Allow META REFRESH 
 Baseline default: Enabled
 Learn more- Allow META REFRESH
 Baseline default: Disable
 
- Allow META REFRESH
- Allow only approved domains to use ActiveX controls without prompt 
 Baseline default: Enabled
 Learn more- Only allow approved domains to use ActiveX controls without prompt
 Baseline default: Enable
 
- Only allow approved domains to use ActiveX controls without prompt
- Allow only approved domains to use the TDC ActiveX control 
 Baseline default: Enabled
 Learn more- Only allow approved domains to use the TDC ActiveX control
 Baseline default: Enable
 
- Only allow approved domains to use the TDC ActiveX control
- Allow script-initiated windows without size or position constraints 
 Baseline default: Enabled
 Learn more- Allow script-initiated windows without size or position constraints
 Baseline default: Disable
 
- Allow script-initiated windows without size or position constraints
- Allow scripting of Internet Explorer WebBrowser controls 
 Baseline default: Enabled
 Learn more- Internet Explorer web browser control
 Baseline default: Disable
 
- Internet Explorer web browser control
- Allow scriptlets 
 Baseline default: Enabled
 Learn more- Scriptlets
 Baseline default: Disable
 
- Scriptlets
- Allow updates to status bar via script 
 Baseline default: Enabled
 Learn more- Status bar updates via script
 Baseline default: Disable
 
- Status bar updates via script
- Allow VBScript to run in Internet Explorer 
 Baseline default: Enabled
 Learn more- Allow VBScript to run in Internet Explorer
 Baseline default: Disable
 
- Allow VBScript to run in Internet Explorer
- Automatic prompting for file downloads 
 Baseline default: Enabled
 Learn more- Automatic prompting for file downloads
 Baseline default: Disable
 
- Automatic prompting for file downloads
- Don't run antimalware programs against ActiveX controls 
 Baseline default: Enabled
 Learn more- Don't run antimalware programs against ActiveX controls
 Baseline default: Disable
 
- Don't run antimalware programs against ActiveX controls
- Download signed ActiveX controls 
 Baseline default: Enabled
 Learn more- Download signed ActiveX controls
 Baseline default: Disable
 
- Download signed ActiveX controls
- Download unsigned ActiveX controls 
 Baseline default: Enabled
 Learn more- Download unsigned ActiveX controls
 Baseline default: Disable
 
- Download unsigned ActiveX controls
- Enable dragging of content from different domains across windows 
 Baseline default: Enabled
 Learn more- Enable dragging of content from different domains across windows
 Baseline default: Disable
 
- Enable dragging of content from different domains across windows
- Enable dragging of content from different domains within a window 
 Baseline default: Enabled
 Learn more- Enable dragging of content from different domains within a window
 Baseline default: Disable
 
- Enable dragging of content from different domains within a window
- Include local path when user is uploading files to a server 
 Baseline default: Enabled
 Learn more- Include local directory path when uploading files to a server
 Baseline default: Disable
 
- Include local directory path when uploading files to a server
- Initialize and script ActiveX controls not marked as safe 
 Baseline default: Enabled
 Learn more- Initialize and script ActiveX controls not marked as safe
 Baseline default: Disable
 
- Initialize and script ActiveX controls not marked as safe
- Java permissions 
 Baseline default: Enabled
 Learn more- Java permissions
 Baseline default: Disable Java
 
- Java permissions
- Launching applications and files in an IFRAME 
 Baseline default: Enabled
 Learn more- Launching applications and files in an IFRAME
 Baseline default: Disable
 
- Launching applications and files in an IFRAME
- Logon options 
 Baseline default: Enabled
 Learn more- Logon options
 Baseline default: Anonymous logon
 
- Logon options
- Navigate windows and frames across different domains 
 Baseline default: Enabled
 Learn more- Navigate windows and frames across different domains
 Baseline default: Disable
 
- Navigate windows and frames across different domains
- Run .NET Framework-reliant components not signed with Authenticode 
 Baseline default: Enabled
 Learn more- Run .NET Framework-reliant components not signed with Authenticode
 Baseline default: Disable
 
- Run .NET Framework-reliant components not signed with Authenticode
- Run .NET Framework-reliant components signed with Authenticode 
 Baseline default: Enabled
 Learn more- Run .NET Framework-reliant components signed with Authenticode
 Baseline default: Disable
 
- Run .NET Framework-reliant components signed with Authenticode
- Run ActiveX controls and plugins 
 Baseline default: Enabled
 Learn more- Run ActiveX controls and plugins
 Baseline default: Disable
 
- Run ActiveX controls and plugins
- Script ActiveX controls marked safe for scripting 
 Baseline default: Enabled
 Learn more- Script ActiveX controls marked safe for scripting
 Baseline default: Disable
 
- Script ActiveX controls marked safe for scripting
- Scripting of Java applets 
 Baseline default: Enabled
 Learn more- Scripting of Java applets
 Baseline default: Disable
 
- Scripting of Java applets
- Show security warning for potentially unsafe files 
 Baseline default: Enabled
 Learn more- Launching programs and unsafe files
 Baseline default: Disable
 
- Launching programs and unsafe files
- Turn on Cross-Site Scripting Filter 
 Baseline default: Enabled
 Learn more- Turn on Cross-Site Scripting (XSS) Filter
 Baseline default: Enabled
 
- Turn on Cross-Site Scripting (XSS) Filter
- Turn on Protected Mode 
 Baseline default: Enabled
 Learn more- Protected Mode
 Baseline default: Enabled
 
- Protected Mode
- Turn on SmartScreen Filter scan 
 Baseline default: Enabled
 Learn more- Use SmartScreen Filter
 Baseline default: Enabled
 
- Use SmartScreen Filter
- Use Pop-up Blocker 
 Baseline default: Enabled
 Learn more- Use Pop-up Blocker
 Baseline default: Enabled
 
- Use Pop-up Blocker
- Userdata persistence 
 Baseline default: Enabled
 Learn more- Userdata persistence
 Baseline default: Disable
 
- Userdata persistence
- Web sites in less privileged Web content zones can navigate into this zone 
 Baseline default: Enabled
 Learn more- Web sites in less privileged Web content zones can navigate into this zone
 Baseline default: Disable
 
- Web sites in less privileged Web content zones can navigate into this zone
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone
- Don't run antimalware programs against ActiveX controls 
 Baseline default: Enabled
 Learn more- Don't run antimalware programs against ActiveX controls
 Baseline default: Disable
 
- Don't run antimalware programs against ActiveX controls
- Initialize and script ActiveX controls not marked as safe 
 Baseline default: Enabled
 Learn more- Initialize and script ActiveX controls not marked as safe
 Baseline default: Disable
 
- Initialize and script ActiveX controls not marked as safe
- Java permissions 
 Baseline default: Enabled
 Learn more- Java permissions
 Baseline default: High safety
 
- Java permissions
Windows Components > Internet Explorer
- Prevent bypassing SmartScreen Filter warnings 
 Baseline default: Enabled
 Learn more
- Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet 
 Baseline default: Enabled
 Learn more
- Prevent managing SmartScreen Filter 
 Baseline default: Enabled
 Learn more- Select SmartScreen Filter mode
 Baseline default: On
 
- Select SmartScreen Filter mode
- Prevent per-user installation of ActiveX controls 
 Baseline default: Enabled
 Learn more
- Security Zones: Do not allow users to add/delete sites 
 Baseline default: Enabled
 Learn more
- Security Zones: Do not allow users to change policies 
 Baseline default: Enabled
 Learn more
- Security Zones: Use only machine settings 
 Baseline default: Enabled
 Learn more
- Specify use of ActiveX Installer Service for installation of ActiveX controls 
 Baseline default: Enabled
 Learn more
- Turn off Crash Detection 
 Baseline default: Enabled
 Learn more
- Turn off the Security Settings Check feature 
 Baseline default: Disabled
 Learn more
- Turn on the auto-complete feature for user names and passwords on forms (User) 
 Baseline default: Disabled
 Learn more
Windows Components > Internet Explorer > Security Features > Add-on Management
- Remove "Run this time" button for outdated ActiveX controls in Internet Explorer 
 Baseline default: Enabled
 Learn more
- Turn off blocking of outdated ActiveX controls for Internet Explorer 
 Baseline default: Disabled
 Learn more
Windows Components > Internet Explorer > Security Features
- Allow fallback to SSL 3.0 (Internet Explorer)
 Baseline default: Enabled
 Learn more- Allow insecure fallback for:
 Baseline default: No Sites
 
- Allow insecure fallback for:
Windows Components > Internet Explorer > Security Features > Consistent Mime Handling
- Internet Explorer Processes
 Baseline default: Enabled
 Learn more
Windows Components > Internet Explorer > Security Features > Mime Sniffing Safety Feature
- Internet Explorer Processes
 Baseline default: Enabled
 Learn more
Windows Components > Internet Explorer > Security Features > MK Protocol Security Restriction
- Internet Explorer Processes
 Baseline default: Enabled
 Learn more
Windows Components > Internet Explorer > Security Features > Notification bar
- Internet Explorer Processes
 Baseline default: Enabled
 Learn more
Windows Components > Internet Explorer > Security Features > Protection From Zone Elevation
- Internet Explorer Processes
 Baseline default: Enabled
 Learn more
Windows Components > Internet Explorer > Security Features > Restrict ActiveX Install
- Internet Explorer Processes
 Baseline default: Enabled
 Learn more
Windows Components > Internet Explorer > Security Features > Restrict File Download
- Internet Explorer Processes
 Baseline default: Enabled
 Learn more
Windows Components > Internet Explorer > Security Features > Scripted Window Security Restrictions
- Internet Explorer Processes
 Baseline default: Enabled
 Learn more
Windows Components > Microsoft Defender Antivirus > MAPS
- Configure the 'Block at First Sight' feature
 Baseline default: Enabled
 Learn more
Windows Components > Microsoft Defender Antivirus > Real-time Protection
- Turn on process scanning whenever real-time protection is enabled
 Baseline default: Enabled
 Learn more
Windows Components > Microsoft Defender Antivirus > Scan
- Scan packed executables
 Baseline default: Enabled
 Learn more
Windows Components > Microsoft Defender Antivirus
- Turn off routine remediation
 Baseline default: Disabled
 Learn more
Windows Components > Remote Desktop Services > Remote Desktop Connection Client
- Do not allow passwords to be saved
 Baseline default: Enabled
 Learn more
Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
- Do not allow drive redirection
 Baseline default: Enabled
 Learn more
Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
- Always prompt for password upon connection 
 Baseline default: Enabled
 Learn more
- Require secure RPC communication 
 Baseline default: Enabled
 Learn more
- Set client connection encryption level 
 Baseline default: Enabled
 Learn more- Encryption Level
 Baseline default: High Level
 
- Encryption Level
Windows Components > RSS Feeds
- Prevent downloading of enclosures
 Baseline default: Enabled
 Learn more
Windows Components > Windows Logon Options
- Enable MPR notifications for the system 
 Baseline default: Disabled
 Learn more
- Sign-in and lock last interactive user automatically after a restart 
 Baseline default: Disabled
 Learn more
Windows Components > Windows PowerShell
- Turn on PowerShell Script Block Logging
 Baseline default: Enabled
 Learn more- Log script block invocation start / stop events:
 Baseline default: False
 
- Log script block invocation start / stop events:
Windows Components > Windows Remote Management (WinRM) > WinRM Client
- Allow Basic authentication 
 Baseline default: Disabled
 Learn more
- Allow unencrypted traffic 
 Baseline default: Disabled
 Learn more
- Disallow Digest authentication 
 Baseline default: Enabled
 Learn more
Windows Components > Windows Remote Management (WinRM) > WinRM Service
- Allow Basic authentication 
 Baseline default: Disabled
 Learn more
- Allow unencrypted traffic 
 Baseline default: Disabled
 Learn more
- Disallow WinRM from storing RunAs credentials 
 Baseline default: Enabled
 Learn more
Auditing
- Account Logon Audit Credential Validation 
 Baseline default: Success+ Failure
 Learn more
- Account Logon Logoff Audit Account Lockout 
 Baseline default: Failure
 Learn more
- Account Logon Logoff Audit Group Membership 
 Baseline default: Success
 Learn more
- Account Logon Logoff Audit Logon 
 Baseline default: Success+ Failure
 Learn more
- Audit Authentication Policy Change 
 Baseline default: Success
 Learn more
- Audit Changes to Audit Policy 
 Baseline default: Success
 Learn more
- Audit File Share Access 
 Baseline default: Success+ Failure
 Learn more
- Audit Other Logon Logoff Events 
 Baseline default: Success+ Failure
 Learn more
- Audit Security Group Management 
 Baseline default: Success
 Learn more
- Audit Security System Extension 
 Baseline default: Success
 Learn more
- Audit Special Logon 
 Baseline default: Success
 Learn more
- Audit User Account Management 
 Baseline default: Success+ Failure
 Learn more
- Detailed Tracking Audit PNP Activity 
 Baseline default: Success
 Learn more
- Detailed Tracking Audit Process Creation 
 Baseline default: Success
 Learn more
- Object Access Audit Detailed File Share 
 Baseline default: Failure
 Learn more
- Object Access Audit Other Object Access Events 
 Baseline default: Success+ Failure
 Learn more
- Object Access Audit Removable Storage 
 Baseline default: Success+ Failure
 Learn more
- Policy Change Audit MPSSVC Rule Level Policy Change 
 Baseline default: Success+ Failure
 Learn more
- Policy Change Audit Other Policy Change Events 
 Baseline default: Failure
 Learn more
- Privilege Use Audit Sensitive Privilege Use 
 Baseline default: Success
 Learn more
- System Audit Other System Events 
 Baseline default: Success+ Failure
 Learn more
- System Audit Security State Change 
 Baseline default: Success
 Learn more
- System Audit System Integrity 
 Baseline default: Success+ Failure
 Learn more
Browser
- Allow Password Manager 
 Baseline default: Block
 Learn more
- Allow Smart Screen 
 Baseline default: Allow
 Learn more
- Prevent Cert Error Overrides 
 Baseline default: Enabled
 Learn more
- Prevent Smart Screen Prompt Override 
 Baseline default: Enabled
 Learn more
- Prevent Smart Screen Prompt Override For Files 
 Baseline default: Enabled
 Learn more
Data Protection
- Allow Direct Memory Access
 Baseline default: Block
 Learn more
Defender
- Allow Archive Scanning 
 Baseline default: Allowed. Scans the archive files.
 Learn more
- Allow Behavior Monitoring 
 Baseline default: Allowed. Turns on real-time behavior monitoring.
 Learn more
- Allow Cloud Protection 
 Baseline default: Allowed. Turns on Cloud Protection.
 Learn more
- Allow Full Scan Removable Drive Scanning 
 Baseline default: Allowed. Scans removable drives.
 Learn more
- Allow On Access Protection 
 Baseline default: Allowed.
 Learn more
- Allow Realtime Monitoring 
 Baseline default: Allowed. Turns on and runs the real-time monitoring service.
 Learn more
- Allow scanning of all downloaded files and attachments 
 Baseline default: Allowed.
 Learn more
- Allow Script Scanning 
 Baseline default: Allowed.
 Learn more- Block execution of potentially obfuscated scripts
 Baseline default: Block
 Learn more
- Block Win32 API calls from Office macros
 Baseline default: Block
 Learn more
- Block Office communication application from creating child processes
 Baseline default: Block
 Learn more
- Block all Office applications from creating child processes
 Baseline default: Block
 Learn more
- Block JavaScript or VBScript from launching downloaded executable content
 Baseline default: Block
 Learn more
- Block untrusted and unsigned processes that run from USB
 Baseline default: Block
 Learn more
- Block Adobe Reader from creating child processes
 Baseline default: Block
 Learn more
- Block credential stealing from the Windows local security authority subsystem
 Baseline default: Block
 Learn more
- Block Office applications from creating executable content
 Baseline default: Block
 Learn more
- Block Office applications from injecting code into other processes
 Baseline default: Block
 Learn more
- Block executable content from email client and webmail
 Baseline default: Block
 Learn more
 
- Block execution of potentially obfuscated scripts
- Cloud Block Level 
 Baseline default: High
 Learn more
- Cloud Extended Timeout 
 Baseline default: Configured
 Value: 50
 Learn more
- Disable Local Admin Merge 
 Baseline default: Disable Local Admin Merge
 Learn more
- Enable File Hash Computation 
 Baseline default: Enable
 Learn more
- Enable Network Protection 
 Baseline default: Enabled (block mode)
 Learn more
- Hide Exclusions From Local Admins 
 Baseline default: If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
 Learn more
- PUA Protection 
 Baseline default: PUA Protection on. Detected items are blocked. They will show in history along with other threats.
 Learn more
- Real Time Scan Direction 
 Baseline default: Monitor all files (bi-directional).
 Learn more
- Submit Samples Consent 
 Baseline default: Send all samples automatically.
 Learn more
- Enable Convert Warn To Block 
 Baseline default: Warn verdicts are converted to block
 Learn more
- Hide Exclusions From Local Users 
 Baseline default: If you enable this setting, local users will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
 Learn more
- Oobe Enable Rtp And Sig Update 
 Baseline default: If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE.
 Learn more
- Passive Remediation 
 Baseline default: Configured
 Value: PASSIVEREMEDIATIONFLAGSENSEAUTOREMEDIATION: Passive Remediation Sense AutoRemediation
 Learn more
- Quick Scan Include Exclusions 
 Baseline default: If you set this setting to 1, all files and directories that are excluded from real-time protection using contextual exclusions are scanned during a quick scan.
 Learn more
Device Guard
- Configure System Guard Launch 
 Baseline default: Unmanaged Enables Secure Launch if supported by hardware
 Learn more
- Credential Guard 
 Baseline default: (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock.
 Learn more
- Enable Virtualization Based Security 
 Baseline default: Enable virtualization based security.
 Learn more
- Require Platform Security Features 
 Baseline default: Turns on VBS with Secure Boot.
 Learn more
- Machine Identity Isolation 
 Baseline default: (Disabled) Machine password is only LSASS-bound and stored in $MACHINE.ACC registry key.
 Learn more
Device Lock
- Device Password Enabled
 Baseline default: Enabled
 Learn more- Device Password History
 Baseline default: Configured
 Value: 24
 Learn more
- Min Device Password Length
 Baseline default: Configured
 Value: 14
 Learn more
 
- Device Password History
Dma Guard
- Device Enumeration Policy
 Baseline default: Block all (Most restrictive)
 Learn more
Experience
- Allow Windows Spotlight (User)
 Baseline default: Allow
 Learn more- Allow Windows Consumer Features
 Baseline default: Block
 Learn more
- Allow Third Party Suggestions In Windows Spotlight (User)
 Baseline default: Block
 Learn more
 
- Allow Windows Consumer Features
Firewall
- Enable Domain Network Firewall 
 Baseline default: True
 Learn more- Enable Log Success Connections
 Baseline default: Enable Logging Of Successful Connections
 Learn more
- Default Outbound Action
 Baseline default: Allow
 Learn more
- Enable Log Dropped Packets
 Baseline default: Enable Logging Of Dropped Packets
 Learn more
- Disable Inbound Notifications
 Baseline default: True
 Learn more
- Log Max File Size
 Baseline default: 16384
 Learn more
- Default Inbound Action for Domain Profile
 Baseline default: Block
 Learn more
 
- Enable Log Success Connections
- Enable Private Network Firewall 
 Baseline default: True
 Learn more- Log Max File Size
 Baseline default: 16384
 Learn more
- Default Inbound Action for Private Profile
 Baseline default: Block
 Learn more
- Enable Log Success Connections
 Baseline default: Enable Logging Of Successful Connections
 Learn more
- Enable Log Dropped Packets
 Baseline default: Enable Logging Of Dropped Packets
 Learn more
- Default Outbound Action
 Baseline default: Allow
 Learn more
- Disable Inbound Notifications
 Baseline default: True
 Learn more
 
- Log Max File Size
- Enable Public Network Firewall 
 Baseline default: True
 Learn more- Enable Log Dropped Packets
 Baseline default: Enable Logging Of Dropped Packets
 Learn more
- Log Max File Size
 Baseline default: 16384
 Learn more
- Default Outbound Action
 Baseline default: Allow
 Learn more
- Disable Inbound Notifications
 Baseline default: True
 Learn more
- Default Inbound Action for Public Profile
 Baseline default: Block
 Learn more
- Allow Local Policy Merge
 Baseline default: False
 Learn more
- Enable Log Success Connections
 Baseline default: Enable Logging Of Successful Connections
 Learn more
- Allow Local Ipsec Policy Merge
 Baseline default: False
 Learn more
 
- Enable Log Dropped Packets
Lanman Server
- Audit Client Does Not Support Encryption 
 Baseline default: Enabled
 Learn more
- Audit Client Does Not Support Signing 
 Baseline default: Enabled
 Learn more
- Audit Insecure Guest Logon 
 Baseline default: Enabled
 Learn more
- Auth Rate Limiter Delay In Ms 
 Baseline default: 2000
 Learn more
- Enable Auth Rate Limiter 
 Baseline default: Enabled
 Learn more
- Max SMB 2 Dialect 
 Baseline default: SMB 3.1.1
 Learn more
- Min SMB 2 Dialect 
 Baseline default: 3.0.0
 Learn more
- Enable Mailslots 
 Baseline default: Disabled
 Learn more
Lanman Workstation
- Enable Insecure Guest Logons 
 Baseline default: Disabled
 Learn more
- Audit Insecure Guest Logon 
 Baseline default: Enabled
 Learn more
- Audit Server Does Not Support Encryption 
 Baseline default: Enabled
 Learn more
- Audit Server Does Not Support Signing 
 Baseline default: Enabled
 Learn more
- Max SMB 2 Dialect 
 Baseline default: SMB 3.1.1
 Learn more
- Min SMB 2 Dialect 
 Baseline default: SMB 3.0.0
 Learn more
- Require Encryption 
 Baseline default: Disabled
 Learn more
- Enable Mailslots 
 Baseline default: Disabled
 Learn more
Local Policies Security Options
- Accounts Limit Local Account Use Of Blank Passwords To Console Logon Only 
 Baseline default: Enabled
 Learn more
- Interactive Logon Machine Inactivity Limit 
 Baseline default: Configured
 Value: 900
 Learn more
- Interactive Logon Smart Card Removal Behavior 
 Baseline default: Lock Workstation
 Learn more
- Microsoft Network Client Digitally Sign Communications Always 
 Baseline default: Enable
 Learn more
- Microsoft Network Client Send Unencrypted Password To Third Party SMB Servers 
 Baseline default: Disable
 Learn more
- Microsoft Network Server Digitally Sign Communications Always 
 Baseline default: Enable
 Learn more
- Network Access Do Not Allow Anonymous Enumeration Of SAM Accounts 
 Baseline default: Enabled
 Learn more
- Network Access Do Not Allow Anonymous Enumeration Of Sam Accounts And Shares 
 Baseline default: Enabled
 Learn more
- Network Access Restrict Anonymous Access To Named Pipes And Shares 
 Baseline default: Enable
 Learn more
- Network Access Restrict Clients Allowed To Make Remote Calls To SAM 
 Baseline default: Configured
 Value: O:BAG:BAD:(A;;RC;;;BA)
 Learn more
- Network Security Do Not Store LAN Manager Hash Value On Next Password Change 
 Baseline default: Enable
 Learn more
- Network Security LAN Manager Authentication Level 
 Baseline default: Send LM and NTLMv2 responses only. Refuse LM and NTLM
 Learn more
- Network Security Minimum Session Security For NTLMSSP Based Clients 
 Baseline default: Require NTLM and 128-bit encryption
 Learn more
- Network Security Minimum Session Security For NTLMSSP Based Servers 
 Baseline default: Require NTLM and 128-bit encryption
 Learn more
- User Account Control Behavior Of The Elevation Prompt For Administrators 
 Baseline default: Prompt for consent on the secure desktop
 Learn more
- User Account Control Behavior Of The Elevation Prompt For Standard Users 
 Baseline default: Automatically deny elevation requests
 Learn more
- User Account Control Detect Application Installations And Prompt For Elevation 
 Baseline default: Enable
 Learn more
- User Account Control Only Elevate UI Access Applications That Are Installed In Secure Locations 
 Baseline default: Enabled: Application runs with UIAccess integrity only if it resides in secure location.
 Learn more
- User Account Control Run All Administrators In Admin Approval Mode 
 Baseline default: Enabled
 Learn more
- User Account Control Use Admin Approval Mode 
 Baseline default: Enable
 Learn more
- User Account Control Virtualize File And Registry Write Failures To Per User Locations 
 Baseline default: Enabled
 Learn more
Local Security Authority
- Configure Lsa Protected Process
 Baseline default: Enabled with UEFI lock. LSA will run as protected process and this configuration is UEFI locked.
 Learn more
Microsoft App Store
- Allow Game DVR 
 Baseline default: Block
 Learn more
- MSI Allow User Control Over Install 
 Baseline default: Disabled
 Learn more
- MSI Always Install With Elevated Privileges 
 Baseline default: Disabled
 Learn more
Microsoft Edge
SmartScreen settings
- Configure Microsoft Defender SmartScreen 
 Baseline default: Enabled
- Prevent bypassing Microsoft Defender SmartScreen prompts for sites 
 Baseline default: Enabled
Privacy
- Let Apps Activate With Voice Above Lock
 Baseline default: Force deny. Windows apps cannot be activated by voice while the screen is locked, and users cannot change it.
 Learn more
Search
- Allow Indexing Encrypted Stores Or Items
 Baseline default: Block
 Learn more
Smart Screen
- Enable Smart Screen In Shell 
 Baseline default: Enabled
 Learn more
- Prevent Override For Files In Shell 
 Baseline default: Enabled
 Learn more
Enhanced Phishing Protection
- Notify Malicious 
 Baseline default: Enabled
- Notify Password Reuse 
 Baseline default: Enabled
- Notify Unsafe App 
 Baseline default: Enabled
- Service Enabled 
 Baseline default: Enabled
System Services
- Configure Xbox Accessory Management Service Startup Mode 
 Baseline default: Disabled
 Learn more
- Configure Xbox Live Auth Manager Service Startup Mode 
 Baseline default: Disabled
 Learn more
- Configure Xbox Live Game Save Service Startup Mode 
 Baseline default: Disabled
 Learn more
- Configure Xbox Live Networking Service Startup Mode 
 Baseline default: Disabled
 Learn more
Task Scheduler
- Enable Xbox Game Save Task
 Baseline default: Disabled
 Learn more
User Rights
- Access From Network 
 Baseline default: Configured
 Values: Administrators (*S-1-5-32-544), Remote Desktop Users (*S-1-5-32-555) Learn more
- Allow Local Log On 
 Baseline default: Configured
 Values: Administrators (*S-1-5-32-544), Users (*S-1-5-32-545) Learn more
- Backup Files And Directories 
 Baseline default: Configured
 Value: Administrators (*S-1-5-32-544) Learn more
- Create Global Objects 
 Baseline default: Configured
 Values: Administrators (*S-1-5-32-544), Local Service (*S-1-5-19), Network Service (*S-1-5-20), Service (*S-1-5-6) Learn more
- Create Page File 
 Baseline default: Configured
 Value: Administrators (*S-1-5-32-544) Learn more
- Debug Programs 
 Baseline default: Configured
 Value: Administrators (*S-1-5-32-544) Learn more
- Deny Access From Network 
 Baseline default: Configured
 Value: NT AUTHORITY\Local Account (*S-1-5-113) Learn more
- Deny Remote Desktop Services Log On 
 Baseline default: Configured
 Value: NT AUTHORITY\Local Account (*S-1-5-113) Learn more
- Impersonate Client 
 Baseline default: Configured
 Values: Administrators (*S-1-5-32-544), Service (*S-1-5-6), Local Service (*S-1-5-19), Network Service (*S-1-5-20) Learn more
- Load Unload Device Drivers 
 Baseline default: Configured
 Value: Administrators (*S-1-5-32-544) Learn more
- Manage Auditing And Security Log 
 Baseline default: Configured
 Value: Administrators (*S-1-5-32-544) Learn more
- Manage Volume 
 Baseline default: Configured
 Value: Administrators (*S-1-5-32-544) Learn more
- Modify Firmware Environment 
 Baseline default: Configured
 Value: Administrators (*S-1-5-32-544) Learn more
- Profile Single Process 
 Baseline default: Configured
 Value: Administrators (*S-1-5-32-544) Learn more
- Remote Shutdown 
 Baseline default: Configured
 Value: Administrators (*S-1-5-32-544) Learn more
- Restore Files And Directories 
 Baseline default: Configured
 Value: Administrators (*S-1-5-32-544) Learn more
- Take Ownership 
 Baseline default: Configured
 Value: Administrators (*S-1-5-32-544) Learn more
Virtualization Based Technology
- Hypervisor Enforced Code Integrity
 Baseline default: (Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock.
 Learn more
Wi-Fi Settings
- Allow Auto Connect To Wi Fi Sense Hotspots 
 Baseline default: Block
 Learn more
- Allow Internet Sharing 
 Baseline default: Block
 Learn more
Windows Hello For Business
- Facial Features Use Enhanced Anti Spoofing
 Baseline default: true
 Learn more
Windows Ink Workspace
- Allow Windows Ink Workspace
 Baseline default: Ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.
 Learn more
LAPS
- Backup Directory
 Baseline default: Backup the password to Azure AD only
 Learn more
Kerberos
- PK Init Hash Algorithm Configuration 
 Baseline default: Enabled
 Learn more- PK Init Hash Algorithm SHA256 
 Baseline default: Supported
 Learn more
- PK Init Hash Algorithm SHA384 
 Baseline default: Supported
 Learn more
- PK Init Hash Algorithm SHA512 
 Baseline default: Supported
 Learn more
- PK Init Hash Algorithm SHA1 PK Init Hash Algorithm SHA1 
 Baseline default: Not Supported
 Learn more
 
Sudo
- Enable Sudo
 Baseline default: Sudo is disabled.
 Learn more
Security Baseline for Windows, version 23H2
The settings in this baseline are taken from the version 23H2 of the Group Policy security baseline as found in the Security Compliance Toolkit and Baselines from the Microsoft Download Center, and include only the settings that apply to Windows devices managed through Intune. When available, the setting name links to the source Configuration Service Provider (CSP), and then displays that settings default configuration in the baseline.
Administrative Templates
Control Panel > Personalization
- Prevent enabling lock screen camera 
 Baseline default: Enabled
 Learn more
- Prevent enabling lock screen slide show 
 Baseline default: Enabled
 Learn more
MS Security Guide
- Apply UAC restrictions to local accounts on network logons 
 Baseline default: Enabled
 Learn more
- Configure SMB v1 client driver 
 Baseline default: Enabled
 Learn more- Configure MrxSmb10 driver
 Baseline default: Disable driver (recommended)
 
- Configure MrxSmb10 driver
- Configure SMB v1 server 
 Baseline default: Disabled
 Learn more
- Enable Structured Exception Handling Overwrite Protection (SEHOP) 
 Baseline default: Enabled
 Learn more
- WDigest Authentication (disabling may require KB2871997) 
 Baseline default: Disabled
 Learn more
MSS (Legacy)
- MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) 
 Baseline default: Enabled
 Learn more- DisableIPSourceRouting IPv6 (Device)
 Baseline default: Highest protection, source routing is completely disabled
 
- DisableIPSourceRouting IPv6 (Device)
- MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) 
 Baseline default: Enabled
 Learn more- DisableIPSourceRouting (Device)
 Baseline default: Highest protection, source routing is completely disabled
 
- DisableIPSourceRouting (Device)
- MSS: (EnableCMPRedirect) Allow ICMP redirects to override OSPF generated routes 
 Baseline default: Disabled
 Learn more
- MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers 
 Baseline default: Enabled
 Learn more
Network > DNS Client
- Turn off multicast name resolution
 Baseline default: Enabled
 Learn more
Network > Network Connections
- Prohibit use of Internet Connection Sharing on your DNS domain network
 Baseline default: Enabled
 Learn more
Network > Network Provider
- Hardened UNC Paths
 Baseline default: Enabled
 Learn more- Hardened UNC Paths: (Device) 
 Baseline defaults:- Name - Value - \\*\SYSVOL- RequireMutualAuthentication=1,RequireIntegrity=1 - \\*\NETLOGON- RequireMutualAuthentication=1,RequireIntegrity=1 
 
Network > Windows Connection Manager
- Prohibit connection to non-domain networks when connected to domain authenticated network
 Baseline default: Enabled
 Learn more
Printers
- Configure Redirection Guard 
 Baseline default: Enabled
 Learn more- Redirection Guard Options (Device)
 Baseline default: Redirection Guard Enabled
 
- Redirection Guard Options (Device)
- Configure RPC connection settings 
 Baseline default: Enabled
 Learn more- Use authentication for outgoing RPC connections: (Device)
 Baseline default: Default
- Protocol to allow for incoming RPC connections: (Device)
 Baseline default: RPC over TCP
 
- Use authentication for outgoing RPC connections: (Device)
- Configure RPC listener settings 
 Baseline default: Enabled
 Learn more- Protocols to allow for incoming RPC connections: (Device)
 Baseline default: RCP over TCP
- Authentication protocol to use for incoming RPC connections: (Device)
 Baseline default: Negotiate
 
- Protocols to allow for incoming RPC connections: (Device)
- Configure RPC over TPC port 
 Baseline default: Enabled
 Learn more- RPC over TCP port (Device)
 Baseline default: 0
 
- RPC over TCP port (Device)
- Limits print driver installation to Administrators 
 Baseline default: Enabled
 Learn more
- Manage processing of Queue-specific files 
 Baseline default: Enabled
 Learn more- Manage processing of Queue-specific files: (Device)
 Baseline default: Limit Queue-specific files to Color profiles
 
- Manage processing of Queue-specific files: (Device)
Start Menu and Taskbar > Notifications
- Turn off toast notifications on the lock screen (User)
 Baseline default: Enabled
 Learn more
System > Credentials Delegation
- Encryption Oracle Remediation 
 Baseline default: Enabled
 Learn more- Protection Level: (Device)
 Baseline default: Force Updated Clients
 
- Protection Level: (Device)
- Remote host allows delegation of non-exportable credentials 
 Baseline default: Enabled
 Learn more
System > Device Installation > Device Installation Restrictions
- Prevent installation of devices using drivers that match these device setup classes
 Baseline default: Enabled
 Learn more- Also apply to matching devices that are already installed
 Baseline default: True
- Prevented Classes
 Baseline default: {d48179be-ec20-11d1-b6b8-00c04fa372a7}
 
- Also apply to matching devices that are already installed
System > Early Launch Antimalware
- Boot-Start Driver Initialization Policy
 Baseline default: Enabled
 Learn more- Choose the boot-start drivers that can be initialized:
 Baseline default: Good, unknown and bad but critical
 
- Choose the boot-start drivers that can be initialized:
System > Group Policy
- Configure registry policy processing
 Baseline default: Enabled
 Learn more- Do not apply during periodic background processing (Device)
 Baseline default: False
- Process even if the Group Policy objects have not changed (Device)
 Baseline default: True
 
- Do not apply during periodic background processing (Device)
System > Internet Communication Management > Internet Communication settings
- Turn off downloading of print drivers 
 Baseline default: Enabled
 Learn more
- Turn off Internet download for Web publishing and online ordering wizards 
 Baseline default: Enabled
 Learn more
System > Local Security Authority
- Allow Custom SSPs and APs to be loaded into LSASS
 Baseline default: Disabled
 Learn more
System > Power Management > Sleep Settings
- Allow standby states (S1-S3) when sleeping (on battery) 
 Baseline default: Disabled
 Learn more
- Allow standby states (S1-S3) when sleeping (plugged in) 
 Baseline default: Disabled
 Learn more
- Require a password when a computer wakes (on battery) 
 Baseline default: Enabled
 Learn more
- Require a password when a computer wakes (plugged in) 
 Baseline default: Enabled
 Learn more
System > Remote Assistance
- Configure Solicited Remote Assistance
 Baseline default: Disabled
 Learn more
System > Remote Procedure Call
- Restrict Unauthenticated RPC clients
 Baseline default: Enabled
 Learn more- RPC Runtime Unauthenticated Client Restriction to Apply:
 Baseline default: Authenticated
 
- RPC Runtime Unauthenticated Client Restriction to Apply:
Windows Components > App runtime
- Allow Microsoft accounts to be optional
 Baseline default: Enabled
 Learn more
Windows Components > AutoPlay Policies
- Disallow Autoplay for non-volume devices 
 Baseline default: Enabled
 Learn more
- Set the default behavior for AutoRun 
 Baseline default: Enabled
 Learn more- Default AutoRun Behavior
 Baseline default: Do not execute any autorun commands
 
- Default AutoRun Behavior
- Turn off Autoplay 
 Baseline default: Enabled
 Learn more- Turn off Autoplay on:
 Baseline default: All drives
 
- Turn off Autoplay on:
Windows Components > BitLocker Drive Encryption > Fixed Data Drives
- Deny write access to fixed drives not protected by BitLocker
 Baseline default: Disabled
 Learn more
Windows Components > BitLocker Drive Encryption > Removable Data Drives
- Deny write access to removable drives not protected by BitLocker
 Baseline default: Enabled
 Learn more- Do not allow write access to devices configured in another organization
 Baseline default: False
 
- Do not allow write access to devices configured in another organization
Windows Components > Credential User Interface
- Enumerate administrator accounts on elevation
 Baseline default: Disabled
 Learn more
Windows Components > Event Log Service > Application
- Specify the maximum log file size (KB)
 Baseline default: Enabled
 Learn more- Maximum Log Size (KB)
 Baseline default: 32768
 
- Maximum Log Size (KB)
Windows Components > Event Log Service > Security
- Specify the maximum log file size (KB)
 Baseline default: Enabled
 Learn more- Maximum Log Size (KB)
 Baseline default: 196608
 
- Maximum Log Size (KB)
Windows Components > Event Log Service > System
- Specify the maximum log file size (KB)
 Baseline default: Enabled
 Learn more- Maximum Log Size (KB)
 Baseline default: 32768
 
- Maximum Log Size (KB)
Windows Components > File Explorer
- Configure Windows Defender SmartScreen 
 Baseline default: Enabled
 Learn more- Pick one of the following settings: (Device)
 Baseline default: Warn and prevent bypass
 
- Pick one of the following settings: (Device)
- Turn off Data Execution Prevention for Explorer 
 Baseline default: Disabled
 Learn more
- Turn off heap termination on corruption 
 Baseline default: Disabled
 Learn more
Windows Components > Internet Explorer > Internet Control Panel > Advanced Page
- Allow software to run or install even if the signature is invalid 
 Baseline default: Disabled
 Learn more
- Check for server certificate revocation 
 Baseline default: Enabled
 Learn more
- Check for signatures on downloaded programs 
 Baseline default: Enabled
 Learn more
- Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled 
 Baseline default: Enabled
 Learn more
- Turn off encryption support 
 Baseline default: Enabled
 Learn more- Secure Protocol combinations
 Baseline default: Use TLS 1.1 and TLS 1.2
 
- Secure Protocol combinations
- Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows 
 Baseline default: Enabled
 Learn more
- Turn on Enhanced Protected Mode 
 Baseline default: Enabled
 Learn more
Windows Components > Internet Explorer > Internet Control Panel
- Prevent ignoring certificate errors
 Baseline default: Enabled
 Learn more
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone
- Access data sources across domains 
 Baseline default: Enabled
 Learn more- Access data sources across domains
 Baseline default: Disable
 
- Access data sources across domains
- Allow cut, copy or paste operations from the clipboard via script 
 Baseline default: Enabled
 Learn more- Allow paste operations via script
 Baseline default: Disable
 
- Allow paste operations via script
- Allow drag and drop or copy and paste files 
 Baseline default: Enabled
 Learn more- Allow drag and drop or copy and paste files
 Baseline default: Disable
 
- Allow drag and drop or copy and paste files
- Allow loading of XAML files 
 Baseline default: Enabled
 Learn more- XAML Files
 Baseline default: Disable
 
- XAML Files
- Allow only approved domains to use ActiveX controls without prompt 
 Baseline default: Enabled
 Learn more- Only allow approved domains to use ActiveX controls without prompt
 Baseline default: Enable
 
- Only allow approved domains to use ActiveX controls without prompt
- Allow only approved domains to use the TDC ActiveX control 
 Baseline default: Enabled
 Learn more- Only allow approved domains to use the TDC ActiveX control
 Baseline default: Enable
 
- Only allow approved domains to use the TDC ActiveX control
- Allow script-initiated windows without size or position constraints 
 Baseline default: Enabled
 Learn more- Allow script-initiated windows without size or position constraints
 Baseline default: Disable
 
- Allow script-initiated windows without size or position constraints
- Allow scripting of Internet Explorer WebBrowser controls 
 Baseline default: Enabled
 Learn more- Internet Explorer web browser control
 Baseline default: Disable
 
- Internet Explorer web browser control
- Allow scriptlets 
 Baseline default: Enabled
 Learn more- Scriptlets
 Baseline default: Disable
 
- Scriptlets
- Allow updates to status bar via script 
 Baseline default: Enabled
 Learn more- Status bar updates via script
 Baseline default: Disable
 
- Status bar updates via script
- Allow VBScript to run in Internet Explorer 
 Baseline default: Enabled
 Learn more- Allow VBScript to run in Internet Explorer
 Baseline default: Disable
 
- Allow VBScript to run in Internet Explorer
- Automatic prompting for file downloads 
 Baseline default: Enabled
 Learn more- Automatic prompting for file downloads
 Baseline default: Disable
 
- Automatic prompting for file downloads
- Don't run antimalware programs against ActiveX controls 
 Baseline default: Enabled
 Learn more- Don't run antimalware programs against ActiveX controls
 Baseline default: Disable
 
- Don't run antimalware programs against ActiveX controls
- Download signed ActiveX controls 
 Baseline default: Enabled
 Learn more- Download signed ActiveX controls
 Baseline default: Disable
 
- Download signed ActiveX controls
- Download unsigned ActiveX controls 
 Baseline default: Enabled
 Learn more- Download unsigned ActiveX controls
 Baseline default: Disable
 
- Download unsigned ActiveX controls
- Enable dragging of content from different domains across windows 
 Baseline default: Enabled
 Learn more- Enable dragging of content from different domains across windows
 Baseline default: Disable
 
- Enable dragging of content from different domains across windows
- Enable dragging of content from different domains within a window 
 Baseline default: Enabled
 Learn more- Enable dragging of content from different domains within a window
 Baseline default: Disable
 
- Enable dragging of content from different domains within a window
- Include local path when user is uploading files to a server 
 Baseline default: Enabled
 Learn more- Include local path when user is uploading files to a server
 Baseline default: Disable
 
- Include local path when user is uploading files to a server
- Initialize and script ActiveX controls not marked as safe 
 Baseline default: Enabled
 Learn more- Initialize and script ActiveX controls not marked as safe
 Baseline default: Disable
 
- Initialize and script ActiveX controls not marked as safe
- Java permissions 
 Baseline default: Enabled
 Learn more- Java permissions
 Baseline default: Disable Java
 
- Java permissions
- Launching applications and files in an IFRAME 
 Baseline default: Enabled
 Learn more- Launching applications and files in an IFRAME
 Baseline default: Disable
 
- Launching applications and files in an IFRAME
- Logon options 
 Baseline default: Enabled
 Learn more- Logon options
 Baseline default: Prompt for user name and password
 
- Logon options
- Navigate windows and frames across different domains 
 Baseline default: Enabled
 Learn more- Navigate windows and frames across different domains
 Baseline default: Disable
 
- Navigate windows and frames across different domains
- Run .NET Framework-reliant components not signed with Authenticode 
 Baseline default: Enabled
 Learn more- Run .NET Framework-reliant components not signed with Authenticode
 Baseline default: Disable
 
- Run .NET Framework-reliant components not signed with Authenticode
- Run .NET Framework-reliant components signed with Authenticode 
 Baseline default: Enabled
 Learn more- Run .NET Framework-reliant components signed with Authenticode
 Baseline default: Disable
 
- Run .NET Framework-reliant components signed with Authenticode
- Show security warning for potentially unsafe files 
 Baseline default: Enabled
 Learn more- Launching programs and unsafe files
 Baseline default: Prompt
 
- Launching programs and unsafe files
- Turn on Cross-Site Scripting Filter 
 Baseline default: Enabled
 Learn more- Turn on Cross-Site Scripting (XSS) Filter
 Baseline default: Enable
 
- Turn on Cross-Site Scripting (XSS) Filter
- Turn on Protected Mode 
 Baseline default: Enabled
 Learn more- Protected Mode
 Baseline default: Enable
 
- Protected Mode
- Turn on SmartScreen Filter scan 
 Baseline default: Enabled
 Learn more- Use SmartScreen Filter
 Baseline default: Enable
 
- Use SmartScreen Filter
- Use Pop-up Blocker 
 Baseline default: Enable
 Learn more- Use Pop-up Blocker
 Baseline default: Enable
 
- Use Pop-up Blocker
- Userdata persistence 
 Baseline default: Enabled
 Learn more- Userdata persistence
 Baseline default: Disable
 
- Userdata persistence
- Web sites in less privileged Web content zones can navigate into this zone 
 Baseline default: Enabled
 Learn more- Web sites in less privileged Web content zones can navigate into this zone
 Baseline default: Disable
 
- Web sites in less privileged Web content zones can navigate into this zone
Windows Components > Internet Explorer > Internet Control Panel > Security Page
- Intranet Sites: Include all network paths (UNCs) 
 Baseline default: Disabled
 Learn more
- Turn on certificate address mismatch warning 
 Baseline default: Enabled
 Learn more
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone
- Don't run antimalware programs against ActiveX controls 
 Baseline default: Enabled
 Learn more- Don't run antimalware programs against ActiveX controls
 Baseline default: Disable
 
- Don't run antimalware programs against ActiveX controls
- Initialize and script ActiveX controls not marked as safe 
 Baseline default: Enabled
 Learn more- Initialize and script ActiveX controls not marked as safe
 Baseline default: Disable
 
- Initialize and script ActiveX controls not marked as safe
- Java permissions 
 Baseline default: Enabled
 Learn more- Java permissions
 Baseline default: High safety
 
- Java permissions
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone
- Don't run antimalware programs against ActiveX controls 
 Baseline default: Enabled
 Learn more- Don't run antimalware programs against ActiveX controls
 Baseline default: Disable
 
- Don't run antimalware programs against ActiveX controls
- Java permissions 
 Baseline default: Enabled
 Learn more- Java permissions
 Baseline default: Disable Java
 
- Java permissions
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone
- Turn on SmartScreen Filter scan
 Baseline default: Enabled
 Learn more- Use SmartScreen Filter
 Baseline default: Enable
 
- Use SmartScreen Filter
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone
- Java permissions
 Baseline default: Enabled
 Learn more- Java permissions
 Baseline default: Disable Java
 
- Java permissions
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone
- Java permissions
 Baseline default: Enabled
 Learn more- Java permissions
 Baseline default: Disable Java
 
- Java permissions
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone
- Java permissions 
 Baseline default: Enabled
 Learn more- Java permissions
 Baseline default: Disable Java
 
- Java permissions
- Turn on SmartScreen Filter scan 
 Baseline default: Enabled
 Learn more- Use SmartScreen Filter
 Baseline default: Enable
 
- Use SmartScreen Filter
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone
- Java permissions
 Baseline default: Enabled
 Learn more- Java permissions
 Baseline default: Disable Java
 
- Java permissions
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
- Access data sources across domains 
 Baseline default: Enabled
 Learn more- Access data sources across domains
 Baseline default: Disable
 
- Access data sources across domains
- Allow active scripting 
 Baseline default: Enabled
 Learn more- Allow active scripting
 Baseline default: Disable
 
- Allow active scripting
- Allow binary and script behaviors 
 Baseline default: Enabled
 Learn more- Allow binary and script behaviors
 Baseline default: Disable
 
- Allow binary and script behaviors
- Allow cut, copy or paste operations from the clipboard via script 
 Baseline default: Enabled
 Learn more- Allow paste operations via script
 Baseline default: Disable
 
- Allow paste operations via script
- Allow drag and drop or copy and paste files 
 Baseline default: Enabled
 Learn more- Allow drag and drop or copy and paste files
 Baseline default: Disable
 
- Allow drag and drop or copy and paste files
- Allow file downloads 
 Baseline default: Enabled
 Learn more- Allow file downloads
 Baseline default: Disable
 
- Allow file downloads
- Allow loading of XAML files 
 Baseline default: Enabled
 Learn more- XAML Files
 Baseline default: Disable
 
- XAML Files
- Allow META REFRESH 
 Baseline default: Enabled
 Learn more- Allow META REFRESH
 Baseline default: Disable
 
- Allow META REFRESH
- Allow only approved domains to use ActiveX controls without prompt 
 Baseline default: Enabled
 Learn more- Only allow approved domains to use ActiveX controls without prompt
 Baseline default: Enable
 
- Only allow approved domains to use ActiveX controls without prompt
- Allow only approved domains to use the TDC ActiveX control 
 Baseline default: Enabled
 Learn more- Only allow approved domains to use the TDC ActiveX control
 Baseline default: Enable
 
- Only allow approved domains to use the TDC ActiveX control
- Allow script-initiated windows without size or position constraints 
 Baseline default: Enabled
 Learn more- Allow script-initiated windows without size or position constraints
 Baseline default: Disable
 
- Allow script-initiated windows without size or position constraints
- Allow scripting of Internet Explorer WebBrowser controls 
 Baseline default: Enabled
 Learn more- Internet Explorer web browser control
 Baseline default: Disable
 
- Internet Explorer web browser control
- Allow scriptlets 
 Baseline default: Enabled
 Learn more- Scriptlets
 Baseline default: Disable
 
- Scriptlets
- Allow updates to status bar via script 
 Baseline default: Enabled
 Learn more- Status bar updates via script
 Baseline default: Disable
 
- Status bar updates via script
- Allow VBScript to run in Internet Explorer 
 Baseline default: Enabled
 Learn more- Allow VBScript to run in Internet Explorer
 Baseline default: Disable
 
- Allow VBScript to run in Internet Explorer
- Automatic prompting for file downloads 
 Baseline default: Enabled
 Learn more- Automatic prompting for file downloads
 Baseline default: Disable
 
- Automatic prompting for file downloads
- Don't run antimalware programs against ActiveX controls 
 Baseline default: Enabled
 Learn more- Don't run antimalware programs against ActiveX controls
 Baseline default: Disable
 
- Don't run antimalware programs against ActiveX controls
- Download signed ActiveX controls 
 Baseline default: Enabled
 Learn more- Download signed ActiveX controls
 Baseline default: Disable
 
- Download signed ActiveX controls
- Download unsigned ActiveX controls 
 Baseline default: Enabled
 Learn more- Download unsigned ActiveX controls
 Baseline default: Disable
 
- Download unsigned ActiveX controls
- Enable dragging of content from different domains across windows 
 Baseline default: Enabled
 Learn more- Enable dragging of content from different domains across windows
 Baseline default: Disable
 
- Enable dragging of content from different domains across windows
- Enable dragging of content from different domains within a window 
 Baseline default: Enabled
 Learn more- Enable dragging of content from different domains within a window
 Baseline default: Disable
 
- Enable dragging of content from different domains within a window
- Include local path when user is uploading files to a server 
 Baseline default: Enabled
 Learn more- Include local directory path when uploading files to a server
 Baseline default: Disable
 
- Include local directory path when uploading files to a server
- Initialize and script ActiveX controls not marked as safe 
 Baseline default: Enabled
 Learn more- Initialize and script ActiveX controls not marked as safe
 Baseline default: Disable
 
- Initialize and script ActiveX controls not marked as safe
- Java permissions 
 Baseline default: Enabled
 Learn more- Java permissions
 Baseline default: Disable Java
 
- Java permissions
- Launching applications and files in an IFRAME 
 Baseline default: Enabled
 Learn more- Launching applications and files in an IFRAME
 Baseline default: Disable
 
- Launching applications and files in an IFRAME
- Logon options 
 Baseline default: Enabled
 Learn more- Logon options
 Baseline default: Anonymous logon
 
- Logon options
- Navigate windows and frames across different domains 
 Baseline default: Enabled
 Learn more- Navigate windows and frames across different domains
 Baseline default: Disable
 
- Navigate windows and frames across different domains
- Run .NET Framework-reliant components not signed with Authenticode 
 Baseline default: Enabled
 Learn more- Run .NET Framework-reliant components not signed with Authenticode
 Baseline default: Disable
 
- Run .NET Framework-reliant components not signed with Authenticode
- Run .NET Framework-reliant components signed with Authenticode 
 Baseline default: Enabled
 Learn more- Run .NET Framework-reliant components signed with Authenticode
 Baseline default: Disable
 
- Run .NET Framework-reliant components signed with Authenticode
- Run ActiveX controls and plugins 
 Baseline default: Enabled
 Learn more- Run ActiveX controls and plugins
 Baseline default: Disable
 
- Run ActiveX controls and plugins
- Script ActiveX controls marked safe for scripting 
 Baseline default: Enabled
 Learn more- Script ActiveX controls marked safe for scripting
 Baseline default: Disable
 
- Script ActiveX controls marked safe for scripting
- Scripting of Java applets 
 Baseline default: Enabled
 Learn more- Scripting of Java applets
 Baseline default: Disable
 
- Scripting of Java applets
- Show security warning for potentially unsafe files 
 Baseline default: Enabled
 Learn more- Launching programs and unsafe files
 Baseline default: Disable
 
- Launching programs and unsafe files
- Turn on Cross-Site Scripting Filter 
 Baseline default: Enabled
 Learn more- Turn on Cross-Site Scripting (XSS) Filter
 Baseline default: Enabled
 
- Turn on Cross-Site Scripting (XSS) Filter
- Turn on Protected Mode 
 Baseline default: Enabled
 Learn more- Protected Mode
 Baseline default: Enabled
 
- Protected Mode
- Turn on SmartScreen Filter scan 
 Baseline default: Enabled
 Learn more- Use SmartScreen Filter
 Baseline default: Enabled
 
- Use SmartScreen Filter
- Use Pop-up Blocker 
 Baseline default: Enabled
 Learn more- Use Pop-up Blocker
 Baseline default: Enabled
 
- Use Pop-up Blocker
- Userdata persistence 
 Baseline default: Enabled
 Learn more- Userdata persistence
 Baseline default: Disable
 
- Userdata persistence
- Web sites in less privileged Web content zones can navigate into this zone 
 Baseline default: Enabled
 Learn more- Web sites in less privileged Web content zones can navigate into this zone
 Baseline default: Disable
 
- Web sites in less privileged Web content zones can navigate into this zone
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone
- Don't run antimalware programs against ActiveX controls 
 Baseline default: Enabled
 Learn more- Don't run antimalware programs against ActiveX controls
 Baseline default: Disable
 
- Don't run antimalware programs against ActiveX controls
- Initialize and script ActiveX controls not marked as safe 
 Baseline default: Enabled
 Learn more- Initialize and script ActiveX controls not marked as safe
 Baseline default: Disable
 
- Initialize and script ActiveX controls not marked as safe
- Java permissions 
 Baseline default: Enabled
 Learn more- Java permissions
 Baseline default: High safety
 
- Java permissions
Windows Components > Internet Explorer
- Prevent bypassing SmartScreen Filter warnings 
 Baseline default: Enabled
 Learn more
- Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet 
 Baseline default: Enabled
 Learn more
- Prevent managing SmartScreen Filter 
 Baseline default: Enabled
 Learn more- Select SmartScreen Filter mode
 Baseline default: On
 
- Select SmartScreen Filter mode
- Prevent per-user installation of ActiveX controls 
 Baseline default: Enabled
 Learn more
- Security Zones: Do not allow users to add/delete sites 
 Baseline default: Enabled
 Learn more
- Security Zones: Do not allow users to change policies 
 Baseline default: Enabled
 Learn more
- Security Zones: Use only machine settings 
 Baseline default: Enabled
 Learn more
- Specify use of ActiveX Installer Service for installation of ActiveX controls 
 Baseline default: Enabled
 Learn more
- Turn off Crash Detection 
 Baseline default: Enabled
 Learn more
- Turn off the Security Settings Check feature 
 Baseline default: Disabled
 Learn more
- Turn on the auto-complete feature for user names and passwords on forms (User) 
 Baseline default: Disabled
 Learn more
Windows Components > Internet Explorer > Security Features > Add-on Management
- Remove "Run this time" button for outdated ActiveX controls in Internet Explorer 
 Baseline default: Enabled
 Learn more
- Turn off blocking of outdated ActiveX controls for Internet Explorer 
 Baseline default: Disabled
 Learn more
Windows Components > Internet Explorer > Security Features
- Allow fallback to SSL 3.0 (Internet Explorer)
 Baseline default: Enabled
 Learn more- Allow insecure fallback for:
 Baseline default: No Sites
 
- Allow insecure fallback for:
Windows Components > Internet Explorer > Security Features > Consistent Mime Handling
- Internet Explorer Processes
 Baseline default: Enabled
 Learn more
Windows Components > Internet Explorer > Security Features > Mime Sniffing Safety Feature
- Internet Explorer Processes
 Baseline default: Enabled
 Learn more
Windows Components > Internet Explorer > Security Features > MK Protocol Security Restriction
- Internet Explorer Processes
 Baseline default: Enabled
 Learn more
Windows Components > Internet Explorer > Security Features > Notification bar
- Internet Explorer Processes
 Baseline default: Enabled
 Learn more
Windows Components > Internet Explorer > Security Features > Protection From Zone Elevation
- Internet Explorer Processes
 Baseline default: Enabled
 Learn more
Windows Components > Internet Explorer > Security Features > Restrict ActiveX Install
- Internet Explorer Processes
 Baseline default: Enabled
 Learn more
Windows Components > Internet Explorer > Security Features > Restrict File Download
- Internet Explorer Processes
 Baseline default: Enabled
 Learn more
Windows Components > Internet Explorer > Security Features > Scripted Window Security Restrictions
- Internet Explorer Processes
 Baseline default: Enabled
 Learn more
Windows Components > Microsoft Defender Antivirus > MAPS
- Configure the 'Block at First Sight' feature
 Baseline default: Enabled
 Learn more
Windows Components > Microsoft Defender Antivirus > Real-time Protection
- Turn on process scanning whenever real-time protection is enabled
 Baseline default: Enabled
 Learn more
Windows Components > Microsoft Defender Antivirus > Scan
- Scan packed executables
 Baseline default: Enabled
 Learn more
Windows Components > Microsoft Defender Antivirus
- Turn off routine remediation
 Baseline default: Disabled
 Learn more
Windows Components > Remote Desktop Services > Remote Desktop Connection Client
- Do not allow passwords to be saved
 Baseline default: Enabled
 Learn more
Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
- Do not allow drive redirection
 Baseline default: Enabled
 Learn more
Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security
- Always prompt for password upon connection 
 Baseline default: Enabled
 Learn more
- Require secure RPC communication 
 Baseline default: Enabled
 Learn more
- Set client connection encryption level 
 Baseline default: Enabled
 Learn more- Encryption Level
 Baseline default: High Level
 
- Encryption Level
Windows Components > RSS Feeds
- Prevent downloading of enclosures
 Baseline default: Enabled
 Learn more
Windows Components > Windows Logon Options
- Enable MPR notifications for the system 
 Baseline default: Disabled
 Learn more
- Sign-in and lock last interactive user automatically after a restart 
 Baseline default: Disabled
 Learn more
Windows Components > Windows PowerShell
- Turn on PowerShell Script Block Logging
 Baseline default: Enabled
 Learn more- Log script block invocation start / stop events:
 Baseline default: False
 
- Log script block invocation start / stop events:
Windows Components > Windows Remote Management (WinRM) > WinRM Client
- Allow Basic authentication 
 Baseline default: Disabled
 Learn more
- Allow unencrypted traffic 
 Baseline default: Disabled
 Learn more
- Disallow Digest authentication 
 Baseline default: Enabled
 Learn more
Windows Components > Windows Remote Management (WinRM) > WinRM Service
- Allow Basic authentication 
 Baseline default: Disabled
 Learn more
- Allow unencrypted traffic 
 Baseline default: Disabled
 Learn more
- Disallow WinRM from storing RunAs credentials 
 Baseline default: Enabled
 Learn more
Auditing
- Account Logon Audit Credential Validation 
 Baseline default: Success+ Failure
 Learn more
- Account Logon Logoff Audit Account Lockout 
 Baseline default: Failure
 Learn more
- Account Logon Logoff Audit Group Membership 
 Baseline default: Success
 Learn more
- Account Logon Logoff Audit Logon 
 Baseline default: Success+ Failure
 Learn more
- Audit Authentication Policy Change 
 Baseline default: Success
 Learn more
- Audit Changes to Audit Policy 
 Baseline default: Success
 Learn more
- Audit File Share Access 
 Baseline default: Success+ Failure
 Learn more
- Audit Other Logon Logoff Events 
 Baseline default: Success+ Failure
 Learn more
- Audit Security Group Management 
 Baseline default: Success
 Learn more
- Audit Security System Extension 
 Baseline default: Success
 Learn more
- Audit Special Logon 
 Baseline default: Success
 Learn more
- Audit User Account Management 
 Baseline default: Success+ Failure
 Learn more
- Detailed Tracking Audit PNP Activity 
 Baseline default: Success
 Learn more
- Detailed Tracking Audit Process Creation 
 Baseline default: Success
 Learn more
- Object Access Audit Detailed File Share 
 Baseline default: Failure
 Learn more
- Object Access Audit Other Object Access Events 
 Baseline default: Success+ Failure
 Learn more
- Object Access Audit Removable Storage 
 Baseline default: Success+ Failure
 Learn more
- Policy Change Audit MPSSVC Rule Level Policy Change 
 Baseline default: Success+ Failure
 Learn more
- Policy Change Audit Other Policy Change Events 
 Baseline default: Failure
 Learn more
- Privilege Use Audit Sensitive Privilege Use 
 Baseline default: Success
 Learn more
- System Audit Other System Events 
 Baseline default: Success+ Failure
 Learn more
- System Audit Security State Change 
 Baseline default: Success
 Learn more
- System Audit System Integrity 
 Baseline default: Success+ Failure
 Learn more
Browser
- Allow Password Manager 
 Baseline default: Block
 Learn more
- Allow Smart Screen 
 Baseline default: Allow
 Learn more
- Prevent Cert Error Overrides 
 Baseline default: Enabled
 Learn more
- Prevent Smart Screen Prompt Override 
 Baseline default: Enabled
 Learn more
- Prevent Smart Screen Prompt Override For Files 
 Baseline default: Enabled
 Learn more
Data Protection
- Allow Direct Memory Access
 Baseline default: Block
 Learn more
Defender
- Allow Archive Scanning 
 Baseline default: Allowed. Scans the archive files.
 Learn more
- Allow Behavior Monitoring 
 Baseline default: Allowed. Turns on real-time behavior monitoring.
 Learn more
- Allow Cloud Protection 
 Baseline default: Allowed. Turns on Cloud Protection.
 Learn more
- Allow Full Scan Removable Drive Scanning 
 Baseline default: Allowed. Scans removable drives.
 Learn more
- Allow On Access Protection 
 Baseline default: Allowed.
 Learn more
- Allow Realtime Monitoring 
 Baseline default: Allowed. Turns on and runs the real-time monitoring service.
 Learn more
- Allow scanning of all downloaded files and attachments 
 Baseline default: Allowed.
 Learn more
- Allow Script Scanning 
 Baseline default: Allowed.
 Learn more- Block execution of potentially obfuscated scripts
 Baseline default: Block
 Learn more
- Block Win32 API calls from Office macros
 Baseline default: Block
 Learn more
- Block Office communication application from creating child processes
 Baseline default: Block
 Learn more
- Block all Office applications from creating child processes
 Baseline default: Block
 Learn more
- Block JavaScript or VBScript from launching downloaded executable content
 Baseline default: Block
 Learn more
- Block untrusted and unsigned processes that run from USB
 Baseline default: Block
 Learn more
- Block Adobe Reader from creating child processes
 Baseline default: Block
 Learn more
- Block credential stealing from the Windows local security authority subsystem
 Baseline default: Block
 Learn more
- Block Office applications from creating executable content
 Baseline default: Block
 Learn more
- Block Office applications from injecting code into other processes
 Baseline default: Block
 Learn more
- Block executable content from email client and webmail
 Baseline default: Block
 Learn more
 
- Block execution of potentially obfuscated scripts
- Cloud Block Level 
 Baseline default: High
 Learn more
- Cloud Extended Timeout 
 Baseline default: Configured
 Value: 50
 Learn more
- Disable Local Admin Merge 
 Baseline default: Disable Local Admin Merge
 Learn more
- Enable File Hash Computation 
 Baseline default: Enable
 Learn more
- Enable Network Protection 
 Baseline default: Enabled (block mode)
 Learn more
- Hide Exclusions From Local Admins 
 Baseline default: If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
 Learn more
- PUA Protection 
 Baseline default: PUA Protection on. Detected items are blocked. They will show in history along with other threats.
 Learn more
- Real Time Scan Direction 
 Baseline default: Monitor all files (bi-directional).
 Learn more
- Submit Samples Consent 
 Baseline default: Send all samples automatically.
 Learn more
Device Guard
- Configure System Guard Launch 
 Baseline default: Unmanaged Enables Secure Launch if supported by hardware
 Learn more
- Credential Guard 
 Baseline default: (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock.
 Learn more
- Enable Virtualization Based Security 
 Baseline default: Enable virtualization based security.
 Learn more
- Require Platform Security Features 
 Baseline default: Turns on VBS with Secure Boot.
 Learn more
Device Lock
- Device Password Enabled
 Baseline default: Enabled
 Learn more- Device Password History
 Baseline default: Configured
 Value: 24
 Learn more
- Min Device Password Length
 Baseline default: Configured
 Value: 14
 Learn more
 
- Device Password History
Dma Guard
- Device Enumeration Policy
 Baseline default: Block all (Most restrictive)
 Learn more
Experience
- Allow Windows Spotlight (User)
 Baseline default: Allow
 Learn more- Allow Windows Consumer Features
 Baseline default: Block
 Learn more
- Allow Third Party Suggestions In Windows Spotlight (User)
 Baseline default: Block
 Learn more
 
- Allow Windows Consumer Features
Firewall
- Enable Domain Network Firewall 
 Baseline default: True
 Learn more- Enable Log Success Connections
 Baseline default: Enable Logging Of Successful Connections
 Learn more
- Default Outbound Action
 Baseline default: Allow
 Learn more
- Enable Log Dropped Packets
 Baseline default: Enable Logging Of Dropped Packets
 Learn more
- Disable Inbound Notifications
 Baseline default: True
 Learn more
- Log Max File Size
 Baseline default: 16384
 Learn more
- Default Inbound Action for Domain Profile
 Baseline default: Block
 Learn more
 
- Enable Log Success Connections
- Enable Private Network Firewall 
 Baseline default: True
 Learn more- Log Max File Size
 Baseline default: 16384
 Learn more
- Default Inbound Action for Private Profile
 Baseline default: Block
 Learn more
- Enable Log Success Connections
 Baseline default: Enable Logging Of Successful Connections
 Learn more
- Enable Log Dropped Packets
 Baseline default: Enable Logging Of Dropped Packets
 Learn more
- Default Outbound Action
 Baseline default: Allow
 Learn more
- Disable Inbound Notifications
 Baseline default: True
 Learn more
 
- Log Max File Size
- Enable Public Network Firewall 
 Baseline default: True
 Learn more- Enable Log Dropped Packets
 Baseline default: Enable Logging Of Dropped Packets
 Learn more
- Log Max File Size
 Baseline default: 16384
 Learn more
- Default Outbound Action
 Baseline default: Allow
 Learn more
- Disable Inbound Notifications
 Baseline default: True
 Learn more
- Default Inbound Action for Public Profile
 Baseline default: Block
 Learn more
- Allow Local Policy Merge
 Baseline default: False
 Learn more
- Enable Log Success Connections
 Baseline default: Enable Logging Of Successful Connections
 Learn more
- Allow Local Ipsec Policy Merge
 Baseline default: False
 Learn more
 
- Enable Log Dropped Packets
Lanman Workstation
- Enable Insecure Guest Logons
 Baseline default: Disabled
 Learn more
Local Policies Security Options
- Accounts Limit Local Account Use Of Blank Passwords To Console Logon Only 
 Baseline default: Enabled
 Learn more
- Interactive Logon Machine Inactivity Limit 
 Baseline default: Configured
 Value: 900
 Learn more
- Interactive Logon Smart Card Removal Behavior 
 Baseline default: Lock Workstation
 Learn more
- Microsoft Network Client Digitally Sign Communications Always 
 Baseline default: Enable
 Learn more
- Microsoft Network Client Send Unencrypted Password To Third Party SMB Servers 
 Baseline default: Disable
 Learn more
- Microsoft Network Server Digitally Sign Communications Always 
 Baseline default: Enable
 Learn more
- Network Access Do Not Allow Anonymous Enumeration Of SAM Accounts 
 Baseline default: Enabled
 Learn more
- Network Access Do Not Allow Anonymous Enumeration Of Sam Accounts And Shares 
 Baseline default: Enabled
 Learn more
- Network Access Restrict Anonymous Access To Named Pipes And Shares 
 Baseline default Enable
 Learn more
- Network Access Restrict Clients Allowed To Make Remote Calls To SAM 
 Baseline default: Configured
 Value: O:BAG:BAD:(A;;RC;;;BA)
 Learn more
- Network Security Do Not Store LAN Manager Hash Value On Next Password Change 
 Baseline default: Enable
 Learn more
- Network Security LAN Manager Authentication Level 
 Baseline default: Send LM and NTLMv2 responses only. Refuse LM and NTLM
 Learn more
- Network Security Minimum Session Security For NTLMSSP Based Clients 
 Baseline default: Require NTLM and 128-bit encryption
 Learn more
- Network Security Minimum Session Security For NTLMSSP Based Servers 
 Baseline default: Require NTLM and 128-bit encryption
 Learn more
- User Account Control Behavior Of The Elevation Prompt For Administrators 
 Baseline default: Prompt for consent on the secure desktop
 Learn more
- User Account Control Behavior Of The Elevation Prompt For Standard Users 
 Baseline default: Automatically deny elevation requests
 Learn more
- User Account Control Detect Application Installations And Prompt For Elevation 
 Baseline default: Enable
 Learn more
- User Account Control Only Elevate UI Access Applications That Are Installed In Secure Locations 
 Baseline default: Enabled: Application runs with UIAccess integrity only if it resides in secure location.
 Learn more
- User Account Control Run All Administrators In Admin Approval Mode 
 Baseline default: Enabled
 Learn more
- User Account Control Use Admin Approval Mode 
 Baseline default: Enable
 Learn more
- User Account Control Virtualize File And Registry Write Failures To Per User Locations 
 Baseline default: Enabled
 Learn more
Local Security Authority
- Configure Lsa Protected Process
 Baseline default: Enabled with UEFI lock. LSA will run as protected process and this configuration is UEFI locked.
 Learn more
Microsoft App Store
- Allow Game DVR 
 Baseline default: Block
 Learn more
- MSI Allow User Control Over Install 
 Baseline default: Disabled
 Learn more
- MSI Always Install With Elevated Privileges 
 Baseline default: Disabled
 Learn more
Microsoft Edge
SmartScreen settings
- Configure Microsoft Defender SmartScreen 
 Baseline default: Enabled
- Prevent bypassing Microsoft Defender SmartScreen prompts for sites 
 Baseline default: Enabled
Privacy
- Let Apps Activate With Voice Above Lock
 Baseline default: Force deny. Windows apps cannot be activated by voice while the screen is locked, and users cannot change it.
 Learn more
Search
- Allow Indexing Encrypted Stores Or Items
 Baseline default: Block
 Learn more
Smart Screen
- Enable Smart Screen In Shell 
 Baseline default: Enabled
 Learn more
- Prevent Override For Files In Shell 
 Baseline default: Enabled
 Learn more
Enhanced Phishing Protection
- Notify Malicious 
 Baseline default: Enabled
- Notify Password Reuse 
 Baseline default: Enabled
- Notify Unsafe App 
 Baseline default: Enabled
- Service Enabled 
 Baseline default: Enabled
System Services
- Configure Xbox Accessory Management Service Startup Mode 
 Baseline default: Disabled
 Learn more
- Configure Xbox Live Auth Manager Service Startup Mode 
 Baseline default: Disabled
 Learn more
- Configure Xbox Live Game Save Service Startup Mode 
 Baseline default: Disabled
 Learn more
- Configure Xbox Live Networking Service Startup Mode 
 Baseline default: Disabled
 Learn more
Task Scheduler
- Enable Xbox Game Save Task
 Baseline default: Disabled
 Learn more
User Rights
- Access From Network 
 Baseline default: Configured
 Values: Administrators (*S-1-5-32-544), Remote Desktop Users (*S-1-5-32-555) Learn more
- Allow Local Log On 
 Baseline default: Configured
 Values: Administrators (*S-1-5-32-544), Users (*S-1-5-32-545) Learn more
- Backup Files And Directories 
 Baseline default: Configured
 Value: Administrators (*S-1-5-32-544) Learn more
- Create Global Objects 
 Baseline default: Configured
 Values: Administrators (*S-1-5-32-544), Local Service (*S-1-5-19), Network Service (*S-1-5-20), Service (*S-1-5-6) Learn more
- Create Page File 
 Baseline default: Configured
 Value: Administrators (*S-1-5-32-544) Learn more
- Debug Programs 
 Baseline default: Configured
 Value: Administrators (*S-1-5-32-544) Learn more
- Deny Access From Network 
 Baseline default: Configured
 Value: NT AUTHORITY\Local Account (*S-1-5-113) Learn more
- Deny Remote Desktop Services Log On 
 Baseline default: Configured
 Value: NT AUTHORITY\Local Account (*S-1-5-113) Learn more
- Impersonate Client 
 Baseline default: Configured
 Values: Administrators (*S-1-5-32-544), Service (*S-1-5-6), Local Service (*S-1-5-19), Network Service (*S-1-5-20) Learn more
- Load Unload Device Drivers 
 Baseline default: Configured
 Value: Administrators (*S-1-5-32-544) Learn more
- Manage Auditing And Security Log 
 Baseline default: Configured
 Value: Administrators (*S-1-5-32-544) Learn more
- Manage Volume 
 Baseline default: Configured
 Value: Administrators (*S-1-5-32-544) Learn more
- Modify Firmware Environment 
 Baseline default: Configured
 Value: Administrators (*S-1-5-32-544) Learn more
- Profile Single Process 
 Baseline default: Configured
 Value: Administrators (*S-1-5-32-544) Learn more
- Remote Shutdown 
 Baseline default: Configured
 Value: Administrators (*S-1-5-32-544) Learn more
- Restore Files And Directories 
 Baseline default: Configured
 Value: Administrators (*S-1-5-32-544) Learn more
- Take Ownership 
 Baseline default: Configured
 Value: Administrators (*S-1-5-32-544) Learn more
Virtualization Based Technology
- Hypervisor Enforced Code Integrity
 Baseline default: (Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock.
 Learn more
Wi-Fi Settings
- Allow Auto Connect To Wi Fi Sense Hotspots 
 Baseline default: Block
 Learn more
- Allow Internet Sharing 
 Baseline default: Block
 Learn more
Windows Hello For Business
- Facial Features Use Enhanced Anti Spoofing
 Baseline default: true
 Learn more
Windows Ink Workspace
- Allow Windows Ink Workspace
 Baseline default: Ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.
 Learn more
LAPS
- Backup Directory
 Baseline default: Backup the password to Azure AD only
 Learn more
Security Baseline for Windows, November 2021
Security Baseline for Windows, December 2020
Security Baseline for Windows, August 2020
Above Lock
- Voice activate apps from locked screen 
 Baseline default: Disabled
 Learn More
- Block display of toast notifications 
 Baseline default: Yes
 Learn More
App Runtime
- Microsoft accounts optional for Microsoft store apps
 Baseline default: Enabled
 Learn more
Application Management
- Block app installations with elevated privileges 
 Baseline default: Yes
 Learn more
- Block user control over installations 
 Baseline default: Yes
 Learn more
- Block game DVR (desktop only) 
 Baseline default: Yes
 Learn more
Audit
Audit settings configure the events that are generated for the conditions of the setting.
- Account Logon Audit Credential Validation (Device) 
 Baseline default: Success and Failure
- Account Logon Audit Kerberos Authentication Service (Device) 
 Baseline default: None
- Account Logon Logoff Audit Account Lockout (Device) 
 Baseline default: Failure
- Account Logon Logoff Audit Group Membership (Device) 
 Baseline default: Success
- Account Logon Logoff Audit Logon (Device) 
 Baseline default: Success and Failure
- Audit Other Logon Logoff Events (Device) 
 Baseline default: Success and Failure
- Audit Special Logon (Device) 
 Baseline default: Success
- Audit Security Group Management (Device) 
 Baseline default: Success
- Audit User Account Management (Device) 
 Baseline default: Success and Failure
- Detailed Tracking Audit PNP Activity (Device) 
 Baseline default: Success
- Detailed Tracking Audit Process Creation (Device) 
 Baseline default: Success
- Object Access Audit Detailed File Share (Device) 
 Baseline default: Failure
- Audit File Share Access (Device) 
 Baseline default: Success and Failure
- Object Access Audit Other Object Access Events (Device) 
 Baseline default: Success and Failure
- Object Access Audit Removable Storage (Device) 
 Baseline default: Success and Failure
- Audit Authentication Policy Change (Device) 
 Baseline default: Success
- Policy Change Audit MPSSVC Rule Level Policy Change (Device) 
 Baseline default: Success and Failure
- Policy Change Audit Other Policy Change Events (Device) 
 Baseline default: Failure
- Audit Changes to Audit Policy (Device) 
 Baseline default: Success
- Privilege Use Audit Sensitive Privilege Use (Device) 
 Baseline default: Success and Failure
- System Audit Other System Events (Device) 
 Baseline default: Success and Failure
- System Audit Security State Change (Device) 
 Baseline default: Success
- Audit Security System Extension (Device) 
 Baseline default: Success
- System Audit System Integrity (Device) 
 Baseline default: Success and Failure
Auto Play
- Auto play default auto run behavior 
 Baseline default: Do not execute
 Learn more
- Auto play mode 
 Baseline default: Disabled
 Learn more
- Block auto play for non-volume devices 
 Baseline default: Enabled
 Learn more
BitLocker
- BitLocker removable drive policy 
 Baseline default: Configure
 Learn more- Block write access to removable data-drives not protected by BitLocker
 Baseline default: Yes
 Learn more
 
- Block write access to removable data-drives not protected by BitLocker
Browser
- Block Password Manager 
 Baseline default: Yes
 Learn more
- Require SmartScreen for Microsoft Edge Legacy 
 Baseline default: Yes
 Learn more
- Block malicious site access 
 Baseline default: Yes
 Learn more
- Block unverified file download 
 Baseline default: Yes
 Learn more
- Prevent user from overriding certificate errors 
 Baseline default: Yes
 Learn more
Connectivity
- Configure secure access to UNC paths 
 Baseline default: Configure Windows to only allow access to the specified UNC paths after fulfilling additional security requirements
 Learn more- Hardened UNC path list
 Baseline default: Not configured by default. Manually add one or more hardened UNC paths.
 
- Hardened UNC path list
- Block downloading of print drivers over HTTP 
 Baseline default: Enabled
 Learn more
- Block Internet download for web publishing and online ordering wizards 
 Baseline default: Enabled
 Learn more
Credentials Delegation
- Remote host delegation of non-exportable credentials
 Baseline default: Enabled
 Learn more
Credentials UI
- Enumerate administrators
 Baseline default: Disabled
 Learn more
Data Protection
- Block direct memory access
 Baseline default: Yes Learn more
Device Guard
- Virtualization based security 
 Baseline default: Enable VBS with secure boot
- Enable virtualization based security 
 Baseline default: Yes
 Learn more
- Launch system guard 
 Baseline default: Enabled
- Turn on credential guard 
 Baseline default: Enable with UEFI lock
 Learn more
Device Installation
- Block hardware device installation by setup classes 
 Baseline default: Yes
 Learn more- Remove matching hardware devices 
 Baseline default: Yes
- Block list 
 Baseline default: Not configured by default. Manually add one or more Identifiers.
 
- Hardware device installation by device identifiers 
 Baseline default: Block hardware device installation
 Learn more- Remove matching hardware devices 
 Baseline default: Yes
- Hardware device identifiers that are blocked 
 Baseline default: Yes
 
- Hardware device installation by setup classes 
 Baseline default: Block hardware device installation
 Learn more- Remove matching hardware devices 
 Baseline default: No default configuration
- Hardware device identifiers that are blocked 
 Baseline default: No default configuration
 
Device Lock
- Require password 
 Baseline default: Yes
 Learn more- Required password 
 Baseline default: Alphanumeric
 Learn more
- Password expiration (days) 
 Baseline default: 60
 Learn more
- Password minimum character set count 
 Baseline default: 3
 Learn more
- Prevent reuse of previous passwords 
 Baseline default: 24
 Learn more
- Minimum password length 
 Baseline default: 8
 Learn more
- Number of sign-in failures before wiping device 
 Baseline default: 10
 Learn more
- Block simple passwords 
 Baseline default: Yes
 Learn more
 
- Password minimum age in days 
 Baseline default: 1
 Learn more
- Prevent use of camera 
 Baseline default: Enabled
 Learn more
- Prevent slide show 
 Baseline default: Enabled
 Learn more
DMA Guard
- Enumeration of external devices incompatible with Kernel DMA Protection
 Baseline default: Block all
Event Log Service
- Application log maximum file size in KB 
 Baseline default: 32768
 Learn more
- System log maximum file size in KB 
 Baseline default: 32768
 Learn more
- Security log maximum file size in KB 
 Baseline default: 196608
 Learn more
Experience
- Block Windows Spotlight 
 Baseline default: Yes
 Learn more- Block third-party suggestions in Windows Spotlight 
 Baseline default: Not configured
 Learn more
- Block consumer specific features 
 Baseline default: Not configured
 Learn more
 
Exploit Guard
- Upload XML
 Baseline default: Sample xml is provided
 Learn more
File Explorer
- Block data execution prevention 
 Baseline default: Disabled
 Learn more
- Block heap termination on corruption 
 Baseline default: Disabled
 Learn more
Firewall
For more information, see 2.2.2 FW_PROFILE_TYPE in the Windows Protocols documentation.
- Firewall profile domain 
 Baseline default: Configure
 Learn more- Inbound connections blocked 
 Baseline default: Yes
 Learn more
- Outbound connections required 
 Baseline default: Yes
 Learn more
- Inbound notifications blocked 
 Baseline default: Yes
 Learn more
- Firewall enabled 
 Baseline default: Allowed
 Learn more
 
- Firewall profile private 
 Baseline default: Configure
 Learn more- Inbound connections blocked 
 Baseline default: Yes
 Learn more
- Outbound connections required 
 Baseline default: Yes
 Learn more
- Inbound notifications blocked 
 Baseline default: Yes
 Learn more
- Firewall enabled 
 Baseline default: Allowed
 Learn more
 
- Firewall profile public 
 Baseline default: Configure
 Learn more- Inbound connections blocked 
 Baseline default: Yes
 Learn more
- Outbound connections required 
 Baseline default: Yes
 Learn more
- Inbound notifications blocked 
 Baseline default: Yes
 Learn more
- Firewall enabled 
 Baseline default: Allowed
 Learn more
- Connection security rules from group policy not merged 
 Baseline default: Yes
 Learn more
- Policy rules from group policy not merged 
 Baseline default: Yes
 Learn more
 
Internet Explorer
- Internet Explorer encryption support 
 Baseline default: Two items: TLS v1.1 and TLS v1.2
 Learn more
- Internet Explorer prevent managing smart screen filter 
 Baseline default: Enable
 Learn more
- Internet Explorer restricted zone script Active X controls marked safe for scripting 
 Baseline default: Disable
 Learn more
- Internet Explorer restricted zone file downloads 
 Baseline default: Disable
 Learn more
- Internet Explorer certificate address mismatch warning 
 Baseline default: Enabled
 Learn more
- Internet Explorer enhanced protected mode 
 Baseline default: Enabled
 Learn more
- Internet Explorer fallback to SSL3 
 Baseline default: No sites
 Learn more
- Internet Explorer software when signature is invalid 
 Baseline default: Disabled
 Learn more
- Internet Explorer check server certificate revocation 
 Baseline default: Enabled
 Learn more
- Internet Explorer check signatures on downloaded programs 
 Baseline default: Enabled
 Learn more
- Internet Explorer processes consistent MIME handling 
 Baseline default: Enable
 Learn more
- Internet Explorer bypass smart screen warnings 
 Baseline default: Disabled
 Learn more
- Internet Explorer bypass smart screen warnings about uncommon files 
 Baseline default: Disable
 Learn more
- Internet Explorer crash detection 
 Baseline default: Disabled
 Learn more
- Internet Explorer download enclosures 
 Baseline default: Disabled
 Learn more
- Internet Explorer ignore certificate errors 
 Baseline default: Disabled
 Learn more
- Internet Explorer disable processes in enhanced protected mode 
 Baseline default: Enabled
 Learn more
- Internet Explorer security settings check 
 Baseline default: Enabled
 Learn more
- Internet Explorer Active X controls in protected mode 
 Baseline default: Disabled
 Learn more
- Internet Explorer users adding sites 
 Baseline default: Disabled
 Learn more
- Internet Explorer users changing policies 
 Baseline default: Disabled
 Learn more
- Internet Explorer block outdated Active X controls 
 Baseline default: Enabled
 Learn more
- Internet Explorer include all network paths 
 Baseline default: Disabled
 Learn more
- Internet Explorer internet zone access to data sources 
 Baseline default: Disabled
 Learn more
- Internet Explorer internet zone automatic prompt for file downloads 
 Baseline default: Disabled
 Learn more
- Internet Explorer internet zone copy and paste via script 
 Baseline default: Disable
 Learn more
- Internet Explorer internet zone drag and drop or copy and paste files 
 Baseline default: Disabled. Learn more
- Internet Explorer internet zone less privileged sites 
 Baseline default: Disable
 Learn more
- Internet Explorer internet zone loading of XAML files 
 Baseline default: Disable
 Learn more
- Internet Explorer internet zone .NET Framework reliant components 
 Baseline default: Disabled
 Learn more
- Internet Explorer internet zone allow only approved domains to use ActiveX controls 
 Baseline default: Enabled
 Learn more
- Internet Explorer internet zone allow only approved domains to use tdc ActiveX controls 
 Baseline default: Enabled
 Learn more
- Internet Explorer internet zone scripting of web browser controls 
 Baseline default: Disabled
 Learn more
- Internet Explorer internet zone script initiated windows 
 Baseline default: Disabled
 Learn more
- Internet Explorer internet zone scriptlets 
 Baseline default: Disable
 Learn more
- Internet Explorer internet zone smart screen 
 Baseline default: Enabled
 Learn more
- Internet Explorer internet zone updates to status bar via script 
 Baseline default: Disabled
 Learn more
- Internet Explorer internet zone user data persistence 
 Baseline default: Disabled
 Learn more
- Internet Explorer internet zone allow VBscript to run 
 Baseline default: Disable
 Learn more
- Internet Explorer internet zone do not run antimalware against ActiveX controls 
 Baseline default: Disabled
 Learn more
- Internet Explorer internet zone download signed ActiveX controls 
 Baseline default: DisableBaseline default: Disable
 Learn more
- Internet Explorer internet zone download unsigned ActiveX controls 
 Baseline default: Disable
 Learn more
- Internet Explorer internet zone cross site scripting filter 
 Baseline default: Enabled
 Learn more
- Internet Explorer internet zone drag content from different domains across windows 
 Baseline default: Disabled
 Learn more
- Internet Explorer internet zone drag content from different domains within windows 
 Baseline default: Disabled
 Learn more
- Internet Explorer internet zone protected mode 
 Baseline default: Enable
 Learn more
- Internet Explorer internet zone include local path when uploading files to server 
 Baseline default: Disabled
 Learn more
- Internet Explorer internet zone initialize and script Active X controls not marked as safe 
 Baseline default: Disable
 Learn more
- Internet Explorer internet zone java permissions 
 Baseline default: Disable java
 Learn more
- Internet Explorer internet zone launch applications and files in an iframe 
 Baseline default: Disable
 Learn more
- Internet Explorer internet zone logon options 
 Baseline default: Prompt
 Learn more
- Internet Explorer internet zone navigate windows and frames across different domains 
 Baseline default: Disable
 Learn more
- Internet Explorer internet zone run .NET Framework reliant components signed with Authenticode 
 Baseline default: Disable
 Learn more
- Internet Explorer internet zone security warning for potentially unsafe files 
 Baseline default: Prompt
 Learn more
- Internet Explorer internet zone popup blocker 
 Baseline default: Enable
 Learn more
- Internet Explorer intranet zone do not run antimalware against Active X controls 
 Baseline default: Disabled
 Learn more
- Internet Explorer intranet zone initialize and script Active X controls not marked as safe 
 Baseline default: Disable
 Learn more
- Internet Explorer intranet zone java permissions 
 Baseline default: High safety
 Learn more
- Internet Explorer local machine zone do not run antimalware against Active X controls 
 Baseline default: Disabled
 Learn more
- Internet Explorer local machine zone java permissions 
 Baseline default: Disable java
 Learn more
- Internet Explorer locked down internet zone smart screen 
 Baseline default: Enabled. Learn more
- Internet Explorer locked down intranet zone java permissions 
 Baseline default: Disable java
 Learn more
- Internet Explorer locked down local machine zone java permissions 
 Baseline default: Disable java
 Learn more
- Internet Explorer locked down restricted zone smart screen 
 Baseline default: Enabled
 Learn more
- Internet Explorer locked down restricted zone java permissions 
 Baseline default: Disable Java
 Learn more
- Internet Explorer locked down trusted zone java permissions 
 Baseline default: Disable java
 Learn more
- Internet Explorer processes MIME sniffing safety feature 
 Baseline default: Enable
 Learn more
- Internet Explorer processes MK protocol security restriction 
 Baseline default: Enabled
 Learn more
- Internet Explorer processes notification bar 
 Baseline default: Enabled
 Learn more
- Internet Explorer prevent per user installation of Active X controls 
 Baseline default: Enabled
 Learn more
- Internet Explorer processes protection from zone elevation 
 Baseline default: Enabled
 Learn more
- Internet Explorer remove run this time button for outdated Active X controls 
 Baseline default: Enabled
 Learn more
- Internet Explorer processes restrict Active X install 
 Baseline default: Enabled
 Learn more
- Internet Explorer restricted zone access to data sources 
 Baseline default: Disable
 Learn more
- Internet Explorer restricted zone active scripting 
 Baseline default: Disable
 Learn more
- Internet Explorer restricted zone automatic prompt for file downloads 
 Baseline default: Disabled
 Learn more
- Internet Explorer restricted zone binary and script behaviors 
 Baseline default: Disable
 Learn more
- Internet Explorer restricted zone copy and paste via script 
 Baseline default: Disable
 Learn more
- Internet Explorer restricted zone drag and drop or copy and paste files 
 Baseline default: Disable
 Learn more
- Internet Explorer restricted zone less privileged sites 
 Baseline default: Disabled
 Learn more
- Internet Explorer restricted zone loading of XAML files 
 Baseline default: Disable
 Learn more
- Internet Explorer restricted zone meta refresh 
 Baseline default: Disabled
 Learn more
- Internet Explorer restricted zone .NET Framework reliant components 
 Baseline default: Disabled
 Learn more
- Internet Explorer restricted zone allow only approved domains to use Active X controls 
 Baseline default: Enabled
 Learn more
- Internet Explorer restricted zone allow only approved domains to use tdc Active X controls 
 Baseline default: Enabled
 Learn more
- Internet Explorer restricted zone scripting of web browser controls 
 Baseline default: Disabled
 Learn more
- Internet Explorer restricted zone script initiated windows 
 Baseline default: Disabled
 Learn more
- Internet Explorer restricted zone scriptlets 
 Baseline default: Disabled
 Learn more
- Internet Explorer restricted zone smart screen 
 Baseline default: Enabled
 Learn more
- Internet Explorer restricted zone updates to status bar via script 
 Baseline default: Disabled
 Learn more
- Internet Explorer restricted zone user data persistence 
 Baseline default: Disabled
 Learn more
- Internet Explorer restricted zone allow vbscript to run 
 Baseline default: Disable
 Learn more
- Internet Explorer restricted zone do not run antimalware against Active X controls 
 Baseline default: Disabled
 Learn more
- Internet Explorer restricted zone download signed Active X controls 
 Baseline default: Disable
 Learn more
- Internet Explorer restricted zone download unsigned Active X controls 
 Baseline default: Disable
 Learn more
- Internet Explorer restricted zone cross site scripting filter 
 Baseline default: Enabled
 Learn more
- Internet Explorer restricted zone drag content from different domains across windows 
 Baseline default: Disabled
 Learn more
- Internet Explorer restricted zone drag content from different domains within windows 
 Baseline default: Disabled
 Learn more
- Internet Explorer restricted zone include local path when uploading files to server 
 Baseline default: Disabled
 Learn more
- Internet Explorer restricted zone initialize and script Active X controls not marked as safe 
 Baseline default: Disable
 Learn more
- Internet Explorer restricted zone java permissions 
 Baseline default: Disable java
 Learn more
- Internet Explorer restricted zone launch applications and files in an iFrame 
 Baseline default: Disable
 Learn more
- Internet Explorer restricted zone logon options 
 Baseline default: Anonymous
 Learn more
- Internet Explorer restricted zone navigate windows and frames across different domains 
 Baseline default: Disable
 Learn more
- Internet Explorer restricted zone run Active X controls and plugins 
 Baseline default: Disable. Learn more
- Internet Explorer restricted zone run .NET Framework reliant components signed with Authenticode 
 Baseline default: Disable
 Learn more
- Internet Explorer restricted zone scripting of java applets 
 Baseline default: Disable
 Learn more
- Internet Explorer restricted zone security warning for potentially unsafe files 
 Baseline default: Disable
 Learn more
- Internet Explorer restricted zone protected mode 
 Baseline default: Enable
 Learn more
- Internet Explorer restricted zone popup blocker 
 Baseline default: Enable
 Learn more
- Internet Explorer processes restrict file download 
 Baseline default: Enabled
 Learn more
- Internet Explorer processes scripted window security restrictions 
 Baseline default: Enabled
 Learn more
- Internet Explorer security zones use only machine settings 
 Baseline default: Enabled
 Learn more
- Internet Explorer use Active X installer service 
 Baseline default: Enabled
 Learn more
- Internet Explorer trusted zone do not run antimalware against Active X controls 
 Baseline default: Disabled
 Learn more
- Internet Explorer trusted zone initialize and script Active X controls not marked as safe 
 Baseline default: Disable
 Learn more
- Internet Explorer trusted zone java permissions 
 Baseline default: High safety
 Learn more
- Internet Explorer auto complete 
 Baseline default: Disabled
 Learn more
Local Policies Security Options
- Block remote logon with blank password 
 Baseline default: Yes
 Learn more
- Minutes of lock screen inactivity until screen saver activates 
 Baseline default: 15
 Learn more
- Smart card removal behavior 
 Baseline default: Lock workstation
 Learn more
- Require client to always digitally sign communications 
 Baseline default: Yes
 Learn more
- Prevent clients from sending unencrypted passwords to third party SMB servers 
 Baseline default: Yes
 Learn more
- Require server digitally signing communications always 
 Baseline default: Yes
 Learn more
- Prevent anonymous enumeration of SAM accounts 
 Baseline default: Yes
 Learn more
- Block anonymous enumeration of SAM accounts and shares 
 Baseline default: Yes
 Learn more
- Restrict anonymous access to named pipes and shares 
 Baseline default: Yes
 Learn more
- Allow remote calls to security accounts manager 
 Baseline default: O:BAG:BAD:(A;;RC;;;BA)
 Learn more
- Prevent storing LAN manager hash value on next password change 
 Baseline default: Yes
 Learn more
- Authentication level 
 Baseline default: Send NTLMv2 response only. Refuse LM and NTLM
 Learn more
- Minimum session security for NTLM SSP based clients 
 Baseline default: Require NTLM V2 128 encryption
 Learn more
- Minimum session security for NTLM SSP based servers 
 Baseline default: Require NTLM V2 and 128 bit encryption
 Learn more
- Administrator elevation prompt behavior 
 Baseline default: Prompt for consent on the secure desktop
 Learn more
- Standard user elevation prompt behavior 
 Baseline default: Automatically deny elevation requests
 Learn more
- Detect application installations and prompt for elevation 
 Baseline default: Yes
 Learn more
- Only allow UI access applications for secure locations 
 Baseline default: Yes
 Learn more
- Require admin approval mode for administrators 
 Baseline default: Yes
 Learn more
- Use admin approval mode 
 Baseline default: Yes
 Learn more
- Virtualize file and registry write failures to per user locations 
 Baseline default: Yes
 Learn more
Microsoft Defender
- Block Adobe Reader from creating child processes 
 Baseline default: Enable
 Learn more
- Block Office communication apps launch in a child process 
 Baseline default: Enable
 Learn more
- Enter how often (0-24 hours) to check for security intelligence updates 
 Baseline default: 4
 Learn more
- Scan type 
 Baseline default: Quick scan
 Learn more
- Defender schedule scan day 
 Baseline default: Everyday
- Defender scan start time 
 Baseline default: Not configured
- Cloud-delivered protection level 
 Baseline default: Not Configured
 Learn more
- Scan network files 
 Baseline default: Yes
 Learn more
- Turn on real-time protection 
 Baseline default: Yes
 Learn more
- Scan scripts that are used in Microsoft browsers 
 Baseline default: Yes
 Learn more
- Scan archive files 
 Baseline default: Yes
 Learn more
- Turn on behavior monitoring 
 Baseline default: Yes
 Learn more
- Turn on cloud-delivered protection 
 Baseline default: Yes
 Learn more
- Scan incoming mail messages 
 Baseline default: Yes
 Learn more
- Scan removable drives during a full scan 
 Baseline default: Yes
 Learn more
- Block Office applications from injecting code into other processes 
 Baseline default: Block
 Learn more
- Block Office applications from creating executable content 
 Baseline default: Block
 Learn more
- Block all Office applications from creating child processes 
 Baseline default: Block
 Learn more
- Block Win32 API calls from Office macro 
 Baseline default: Block
 Learn more
- Block execution of potentially obfuscated scripts (js/vbs/ps) 
 Baseline default: Block
 Learn more
- Block JavaScript or VBScript from launching downloaded executable content 
 Baseline default: Block
 Learn more
- Block executable content download from email and webmail clients 
 Baseline default: Block
 Learn more
- Block credential stealing from the Windows local security authority subsystem (lsass.exe) 
 Baseline default: Enable
 Learn more
- Defender potentially unwanted app action 
 Baseline default: Block
 Learn more
- Block untrusted and unsigned processes that run from USB 
 Baseline default: Block
 Learn more
- Enable network protection 
 Baseline default: Enable
 Learn more
- Defender sample submission consent type 
 Baseline default: Send safe samples automatically
 Learn more
- Block Adobe Reader from creating child processes 
 Baseline default: Enable
 Learn more
- Block Office communication apps launch in a child process 
 Baseline default: Enable
 Learn more
- Enter how often (0-24 hours) to check for security intelligence updates 
 Baseline default: 4
 Learn more
- Scan type 
 Baseline default: Quick scan
 Learn more
- Defender schedule scan day 
 Baseline default: Everyday
- Cloud-delivered protection level 
 Baseline default: Not Configured
 Learn more
- Scan network files 
 Baseline default: Yes
 Learn more
- Turn on real-time protection 
 Baseline default: Yes
 Learn more
- Scan scripts that are used in Microsoft browsers 
 Baseline default: Yes
 Learn more
- Scan archive files 
 Baseline default: Yes
 Learn more
- Turn on behavior monitoring 
 Baseline default: Yes
 Learn more
- Turn on cloud-delivered protection 
 Baseline default: Yes
 Learn more
- Scan incoming mail messages 
 Baseline default: Yes
 Learn more
- Scan removable drives during a full scan 
 Baseline default: Yes
 Learn more
- Block Office applications from injecting code into other processes 
 Baseline default: Block
 Learn more
- Block Office applications from creating executable content 
 Baseline default: Block
 Learn more
- Block all Office applications from creating child processes 
 Baseline default: Block
 Learn more
- Block Win32 API calls from Office macro 
 Baseline default: Block
 Learn more
- Block execution of potentially obfuscated scripts (js/vbs/ps) 
 Baseline default: Block
 Learn more
- Block JavaScript or VBScript from launching downloaded executable content 
 Baseline default: Block
 Learn more
- Block executable content download from email and webmail clients 
 Baseline default: Block
 Learn more
- Block credential stealing from the Windows local security authority subsystem (lsass.exe) 
 Baseline default: Enable
 Learn more
- Defender potentially unwanted app action 
 Baseline default: Block
 Learn more
- Block untrusted and unsigned processes that run from USB 
 Baseline default: Block
 Learn more
- Enable network protection 
 Baseline default: Enable
 Learn more
- Defender sample submission consent type 
 Baseline default: Send safe samples automatically
 Learn more
MS Security Guide
- SMB v1 client driver start configuration 
 Baseline default: Disabled driver
 Learn more
- Apply UAC restrictions to local accounts on network logon 
 Baseline default: Enabled
 Learn more
- Structured exception handling overwrite protection 
 Baseline default: Enabled
 Learn more
- SMB v1 server 
 Baseline default: Disabled
 Learn more
- Digest authentication 
 Baseline default: Disabled
 Learn more
MSS Legacy
- Network IPv6 source routing protection level 
 Baseline default: Highest protection
 Learn more
- Network IP source routing protection level 
 Baseline default: Highest protection
 Learn more
- Network ignore NetBIOS name release requests except from WINS servers 
 Baseline default: Enabled
 Learn more
- Network ICMP redirects override OSPF generated routes 
 Baseline default: Disabled
 Learn more
Power
- Require password on wake while on battery 
 Baseline default: Enabled
 Learn more
- Require password on wake while plugged in 
 Baseline default: Enabled
 Learn more
- Standby states when sleeping while on battery 
 Baseline default: Disabled
 Learn more
- Standby states when sleeping while plugged in 
 Baseline default: Disabled
 Learn more
Remote Assistance
- Remote Assistance solicited
 Baseline default: Disable Remote Assistance
 Learn more
Remote Desktop Services
- Remote desktop services client connection encryption level 
 Baseline default: High
 Learn more
- Block drive redirection 
 Baseline default: Enabled
- Block password saving 
 Baseline default: Enabled
 Learn more
- Prompt for password upon connection 
 Baseline default: Enabled
 Learn more
- Secure RPC communication 
 Baseline default: Enabled
 Learn more
Remote Management
- Block client digest authentication 
 Baseline default: Enabled
 Learn more
- Block storing run as credentials 
 Baseline default: Enabled
 Learn more
- Client basic authentication 
 Baseline default: Disabled
 Learn more
- Basic authentication 
 Baseline default: Disabled
 Learn more
- Client unencrypted traffic 
 Baseline default: Disabled
 Learn more
- Unencrypted traffic 
 Baseline default: Disabled
 Learn more
Remote Procedure Call
- RPC unauthenticated client options
 Baseline default: Authenticated
 Learn more
Search
- Disable indexing encrypted items
 Baseline default: Yes
 Learn more
Smart Screen
- Turn on Windows SmartScreen 
 Baseline default: Yes
 Learn more
- Block users from ignoring SmartScreen warnings 
 Baseline default: Yes
 Learn more
System
- System boot start driver initialization
 Baseline default: Good unknown and bad critical
 Learn more
Wi-Fi
- Block Automatically connecting to Wi-Fi hotspots 
 Baseline default: Yes
 Learn more
- Block Internet sharing 
 Baseline default: Yes
 Learn more
Windows Connection Manager
- Block connection to non-domain networks
 Baseline default: Enabled
 Learn more
Windows Ink Workspace
- Ink Workspace
 Baseline default: Enabled
 Learn more
Windows PowerShell
- PowerShell script block logging
 Baseline default: Enabled
 Learn more