| title | Settings list for the Windows 365 Cloud PC security baseline in Intune | ||
|---|---|---|---|
| description | View a list of the settings in the Microsoft Intune security baseline for Windows 365 Cloud PC. This list includes the default values for settings as found in the default configuration of the baseline. | ||
| ms.date | 09/10/2024 | ||
| ms.topic | reference | ||
| ms.reviewer | aanavath | ||
| ms.collection |
|
||
| zone_pivot_groups | windows-365-versions |
This article is a reference for the settings that are available in the Windows 365 Cloud PC security baseline for Microsoft Intune.
Each security baseline is a group of preconfigured Windows settings that help you apply and enforce granular security settings that the relevant security teams recommend. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration settings.
The details that display in this article are based on baseline version you select at the top of the article. For each version, this article displays:
- A list of each setting with its configuration as found in the default instance of that baseline version.
- When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use.
When a new version of a baseline becomes available, it replaces the previous version. Profile instances that you’ve created prior to the availability of a new version:
- Become read-only. You can continue to use those profiles but can't edit them to change their configuration.
- Can be updated to the current version. After you update a profile to the current baseline version, you can edit the profile to modify settings.
To learn more about using security baselines, see:
::: zone pivot="win365-24h1"
The settings in this baseline apply to Windows devices managed through Intune. When available, the setting name links to the source Configuration Service Provider (CSP), and then displays that settings default configuration in the baseline.
-
Prevent enabling lock screen camera
Baseline default: Enabled
Learn more -
Prevent enabling lock screen slide show
Baseline default: Enabled
Learn more
-
Apply UAC restrictions to local accounts on network logons
Baseline default: Enabled
Learn more -
Configure SMB v1 client driver
Baseline default: Enabled
Learn more- Configure MrxSmb10 driver
Baseline default: Disable driver (recommended)
- Configure MrxSmb10 driver
-
Configure SMB v1 server
Baseline default: Disabled
Learn more -
Enable Structured Exception Handling Overwrite Protection (SEHOP)
Baseline default: Enabled
Learn more -
WDigest Authentication (disabling may require KB2871997)
Baseline default: Disabled
Learn more
-
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)
Baseline default: Enabled
Learn more- DisableIPSourceRouting IPv6 (Device)
Baseline default: Highest protection, source routing is completely disabled
- DisableIPSourceRouting IPv6 (Device)
-
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
Baseline default: Enabled
Learn more- DisableIPSourceRouting (Device)
Baseline default: Enabled Highest protection, source routing is completely disabled
- DisableIPSourceRouting (Device)
-
MSS: (EnableCMPRedirect) Allow ICMP redirects to override OSPF generated routes
Baseline default: Disabled
Learn more -
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
Baseline default: Enabled
Learn more
- Turn off multicast name resolution
Baseline default: Enabled
Learn more
- Prohibit use of Internet Connection Sharing on your DNS domain network
Baseline default: Enabled
Learn more
- Hardened UNC Paths
Baseline default: Enabled
Learn more-
Hardened UNC Paths: (Device)
Baseline defaults:Name Value \\*\SYSVOLRequireMutualAuthentication=1,RequireIntegrity=1 \\*\NETLOGONRequireMutualAuthentication=1,RequireIntegrity=1
-
- Prohibit connection to non-domain networks when connected to domain authenticated network
Baseline default: Enabled
Learn more
- Turn off toast notifications on the lock screen (User)
Baseline default: Enabled
Learn more
-
Encryption Oracle Remediation
Baseline default: Enabled
Learn more- Protection Level: (Device)
Baseline default: Force Updated Clients
- Protection Level: (Device)
-
Remote host allows delegation of non-exportable credentials
Baseline default: Enabled
Learn more
- Prevent installation of devices using drivers that match these device setup classes
Baseline default: Enabled
Learn more-
Prevented Classes
Baseline default: {d48179be-ec20-11d1-b6b8-00c04fa372a7} -
Also apply to matching devices that are already installed
Baseline default: True
-
- Boot-Start Driver Initialization Policy
Baseline default: Enabled
Learn more- Choose the boot-start drivers that can be initialized:
Baseline default: Good, unknown and bad but critical
- Choose the boot-start drivers that can be initialized:
-
Configure registry policy processing
Baseline default: Enabled
Learn more- Do not apply during periodic background processing (Device)
Baseline default: False - Process even if the Group Policy objects have not changed (Device)
Baseline default: True
- Do not apply during periodic background processing (Device)
-
Turn off downloading of print drivers over HTTP
Baseline default: Enabled
Learn more -
Turn off Internet download for Web publishing and online ordering wizards
Baseline default: Enabled
Learn more
- Configure Solicited Remote Assistance
Baseline default: Disabled
Learn more
- Restrict Unauthenticated RPC clients
Baseline default: Enabled
Learn more- RPC Runtime Unauthenticated Client Restriction to Apply:
Baseline default: Authenticated
- RPC Runtime Unauthenticated Client Restriction to Apply:
- Allow Microsoft accounts to be optional
Baseline default: Enabled
Learn more
-
Disallow Autoplay for non-volume devices
Baseline default: Enabled
Learn more -
Set the default behavior for AutoRun
Baseline default: Enabled
Learn more- Default AutoRun Behavior
Baseline default: Do not execute any autorun commands
- Default AutoRun Behavior
-
Turn off Autoplay
Baseline default: Enabled
Learn more- Turn off Autoplay on:
Baseline default: All drives
- Turn off Autoplay on:
- Enumerate administrator accounts on elevation
Baseline default: Disabled
Learn more
- Specify the maximum log file size (KB)
Baseline default: Enabled
Learn more- Maximum Log Size (KB)
Baseline default: 32768
- Maximum Log Size (KB)
- Specify the maximum log file size (KB)
Baseline default: Enabled
Learn more- Maximum Log Size (KB)
Baseline default: 196608
- Maximum Log Size (KB)
- Specify the maximum log file size (KB)
Baseline default: Enabled
Learn more- Maximum Log Size (KB)
Baseline default: 32768
- Maximum Log Size (KB)
-
Configure Windows Defender SmartScreen
Baseline default: Enabled
Learn more- Pick one of the following settings: (Device)
Baseline default: Warn and prevent bypass
- Pick one of the following settings: (Device)
-
Turn off Data Execution Prevention for Explorer
Baseline default: Disabled
Learn more -
Turn off heap termination on corruption
Baseline default: Disabled
Learn more
-
Allow software to run or install even if the signature is invalid
Baseline default: Disabled
Learn more -
Check for server certificate revocation
Baseline default: Enabled
Learn more -
Check for signatures on downloaded programs
Baseline default: Enabled
Learn more -
Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled
Baseline default: Enabled
Learn more -
Turn off encryption support
Baseline default: Enabled
Learn more- Secure Protocol combinations
Baseline default: Use TLS 1.1 and TLS 1.2
- Secure Protocol combinations
-
Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows
Baseline default: Enabled
Learn more -
Turn on Enhanced Protected Mode
Baseline default: Enabled
Learn more
- Prevent ignoring certificate errors
Baseline default: Enabled
Learn more
-
Access data sources across domains
Baseline default: Enabled
Learn more- Access data sources across domains
Baseline default: Disable
- Access data sources across domains
-
Allow cut, copy or paste operations from the clipboard via script
Baseline default: Enabled
Learn more- Allow paste operations via script
Baseline default: Disable
- Allow paste operations via script
-
Allow drag and drop or copy and paste files
Baseline default: Enabled
Learn more- Allow drag and drop or copy and paste files
Baseline default: Disable
- Allow drag and drop or copy and paste files
-
Allow loading of XAML files
Baseline default: Enabled
Learn more- XAML Files
Baseline default: Disable
- XAML Files
-
Allow only approved domains to use ActiveX controls without prompt
Baseline default: Enabled
Learn more- Only allow approved domains to use ActiveX controls without prompt
Baseline default: Enable
- Only allow approved domains to use ActiveX controls without prompt
-
Allow only approved domains to use the TDC ActiveX control
Baseline default: Enabled
Learn more- Only allow approved domains to use the TDC ActiveX control
Baseline default: Enable
- Only allow approved domains to use the TDC ActiveX control
-
Allow script-initiated windows without size or position constraints
Baseline default: Enabled
Learn more- Allow script-initiated windows without size or position constraints
Baseline default: Disable
- Allow script-initiated windows without size or position constraints
-
Allow scripting of Internet Explorer WebBrowser controls
Baseline default: Enabled
Learn more- Internet Explorer web browser control
Baseline default: Disable
- Internet Explorer web browser control
-
Allow scriptlets
Baseline default: Enabled
Learn more- Scriptlets
Baseline default: Disable
- Scriptlets
-
Allow updates to status bar via script
Baseline default: Enabled
Learn more- Status bar updates via script
Baseline default: Disable
- Status bar updates via script
-
Allow VBScript to run in Internet Explorer
Baseline default: Enabled
Learn more- Allow VBScript to run in Internet Explorer
Baseline default: Disable
- Allow VBScript to run in Internet Explorer
-
Automatic prompting for file downloads
Baseline default: Enabled
Learn more- Automatic prompting for file downloads
Baseline default: Disable
- Automatic prompting for file downloads
-
Don't run antimalware programs against ActiveX controls
Baseline default: Enabled
Learn more- Don't run antimalware programs against ActiveX controls
Baseline default: Disable
- Don't run antimalware programs against ActiveX controls
-
Download signed ActiveX controls
Baseline default: Enabled
Learn more- Download signed ActiveX controls
Baseline default: Disable
- Download signed ActiveX controls
-
Download unsigned ActiveX controls
Baseline default: Enabled
Learn more- Download unsigned ActiveX controls
Baseline default: Disable
- Download unsigned ActiveX controls
-
Enable dragging of content from different domains across windows
Baseline default: Enabled
Learn more- Enable dragging of content from different domains across windows
Baseline default: Disable
- Enable dragging of content from different domains across windows
-
Enable dragging of content from different domains within a window
Baseline default: Enabled
Learn more- Enable dragging of content from different domains within a window
Baseline default: Disable
- Enable dragging of content from different domains within a window
-
Include local path when user is uploading files to a server
Baseline default: Enabled
Learn more- Include local directory path when uploading files to a server
Baseline default: Disable
- Include local directory path when uploading files to a server
-
Initialize and script ActiveX controls not marked as safe
Baseline default: Enabled
Learn more- Initialize and script ActiveX controls not marked as safe
Baseline default: Disable
- Initialize and script ActiveX controls not marked as safe
-
Java permissions
Baseline default: Enabled
Learn more- Java permissions
Baseline default: Disable Java
- Java permissions
-
Launching applications and files in an IFRAME
Baseline default: Enabled
Learn more- Launching applications and files in an IFRAME
Baseline default: Disable
- Launching applications and files in an IFRAME
-
Logon options
Baseline default: Enabled
Learn more- Logon options
Baseline default: Prompt for user name and password
- Logon options
-
Navigate windows and frames across different domains
Baseline default: Enabled
Learn more- Navigate windows and frames across different domains
Baseline default: Disable
- Navigate windows and frames across different domains
-
Run .NET Framework-reliant components not signed with Authenticode
Baseline default: Enabled
Learn more- Run .NET Framework-reliant components not signed with Authenticode
Baseline default: Disable
- Run .NET Framework-reliant components not signed with Authenticode
-
Run .NET Framework-reliant components signed with Authenticode
Baseline default: Enabled
Learn more- Run .NET Framework-reliant components signed with Authenticode
Baseline default: Disable
- Run .NET Framework-reliant components signed with Authenticode
-
Show security warning for potentially unsafe files
Baseline default: Enabled
Learn more- Launching programs and unsafe files
Baseline default: Prompt
- Launching programs and unsafe files
-
Turn on Cross-Site Scripting Filter
Baseline default: Enabled
Learn more- Turn on Cross-Site Scripting (XSS) Filter
Baseline default: Enable
- Turn on Cross-Site Scripting (XSS) Filter
-
Turn on Protected Mode
Baseline default: Enabled
Learn more- Protected Mode
Baseline default: Enable
- Protected Mode
-
Turn on SmartScreen Filter scan
Baseline default: Enabled
Learn more- Use SmartScreen Filter
Baseline default: Enable
- Use SmartScreen Filter
-
Use Pop-up Blocker
Baseline default: Enabled
Learn more- Use Pop-up Blocker
Baseline default: Enable
- Use Pop-up Blocker
-
Userdata persistence
Baseline default: Enabled
Learn more- Userdata persistence
Baseline default: Disable
- Userdata persistence
-
Web sites in less privileged Web content zones can navigate into this zone
Baseline default: Enabled
Learn more- Web sites in less privileged Web content zones can navigate into this zone
Baseline default: Disable
- Web sites in less privileged Web content zones can navigate into this zone
-
Intranet Sites: Include all network paths (UNCs)
Baseline default: Disabled
Learn more -
Turn on certificate address mismatch warning
Baseline default: Enabled
Learn more
-
Don't run antimalware programs against ActiveX controls
Baseline default: Enabled
Learn more- Don't run antimalware programs against ActiveX controls
Baseline default: Disable
- Don't run antimalware programs against ActiveX controls
-
Initialize and script ActiveX controls not marked as safe
Baseline default: Enabled
Learn more- Initialize and script ActiveX controls not marked as safe
Baseline default: Disable
- Initialize and script ActiveX controls not marked as safe
-
Java permissions
Baseline default: Enabled
Learn more- Java permissions
Baseline default: High safety
- Java permissions
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone
-
Don't run antimalware programs against ActiveX controls
Baseline default: Enabled
Learn more- Don't run antimalware programs against ActiveX controls
Baseline default: Disable
- Don't run antimalware programs against ActiveX controls
-
Java permissions
Baseline default: Enabled
Learn more- Java permissions
Baseline default: Disable Java
- Java permissions
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone
- Turn on SmartScreen Filter scan
Baseline default: Enabled
Learn more- Use SmartScreen Filter
Baseline default: Enable
- Use SmartScreen Filter
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone
- Java permissions
Baseline default: Enabled
Learn more- Java permissions
Baseline default: Disable Java
- Java permissions
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone
- Java permissions
Baseline default: Enabled
Learn more- Java permissions
Baseline default: Disable Java
- Java permissions
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone
-
Java permissions
Baseline default: Enabled
Learn more- Java permissions
Baseline default: Disable Java
- Java permissions
-
Turn on SmartScreen Filter scan
Baseline default: Enabled
Learn more- Use SmartScreen Filter
Baseline default: Enable
- Use SmartScreen Filter
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone
- Java permissions
Baseline default: Enabled
Learn more- Java permissions
Baseline default: Disable Java
- Java permissions
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone
-
Access data sources across domains
Baseline default: Enabled
Learn more- Access data sources across domains
Baseline default: Disable
- Access data sources across domains
-
Allow active scripting
Baseline default: Enabled
Learn more- Allow active scripting
Baseline default: Disable
- Allow active scripting
-
Allow binary and script behaviors
Baseline default: Enabled
Learn more- Allow binary and script behaviors
Baseline default: Disable
- Allow binary and script behaviors
-
Allow cut, copy or paste operations from the clipboard via script
Baseline default: Enabled
Learn more- Allow paste operations via script
Baseline default: Disable
- Allow paste operations via script
-
Allow drag and drop or copy and paste files
Baseline default: Enabled
Learn more- Allow drag and drop or copy and paste files
Baseline default: Disable
- Allow drag and drop or copy and paste files
-
Allow file downloads
Baseline default: Enabled
Learn more- Allow file downloads
Baseline default: Disable
- Allow file downloads
-
Allow loading of XAML files
Baseline default: Enabled
Learn more- XAML Files
Baseline default: Disable
- XAML Files
-
Allow META REFRESH
Baseline default: Enabled
Learn more- Allow META REFRESH
Baseline default: Disable
- Allow META REFRESH
-
Allow only approved domains to use ActiveX controls without prompt
Baseline default: Enabled
Learn more- Only allow approved domains to use ActiveX controls without prompt
Baseline default: Enable
- Only allow approved domains to use ActiveX controls without prompt
-
Allow only approved domains to use the TDC ActiveX control
Baseline default: Enabled
Learn more- Only allow approved domains to use the TDC ActiveX control
Baseline default: Enable
- Only allow approved domains to use the TDC ActiveX control
-
Allow script-initiated windows without size or position constraints
Baseline default: Enabled
Learn more- Allow script-initiated windows without size or position constraints
Baseline default: Disable
- Allow script-initiated windows without size or position constraints
-
Allow scripting of Internet Explorer WebBrowser controls
Baseline default: Enabled
Learn more- Internet Explorer web browser control
Baseline default: Disable
- Internet Explorer web browser control
-
Allow scriptlets
Baseline default: Enabled
Learn more- Scriptlets
Baseline default: Disable
- Scriptlets
-
Allow updates to status bar via script
Baseline default: Enabled
Learn more- Status bar updates via script
Baseline default: Disable
- Status bar updates via script
-
Allow VBScript to run in Internet Explorer
Baseline default: Enabled
Learn more- Allow VBScript to run in Internet Explorer
Baseline default: Disable
- Allow VBScript to run in Internet Explorer
-
Automatic prompting for file downloads
Baseline default: Enabled
Learn more- Automatic prompting for file downloads
Baseline default: Disable
- Automatic prompting for file downloads
-
Don't run antimalware programs against ActiveX controls
Baseline default: Enabled
Learn more- Don't run antimalware programs against ActiveX controls
Baseline default: Disable
- Don't run antimalware programs against ActiveX controls
-
Download signed ActiveX controls
Baseline default: Enabled
Learn more- Download signed ActiveX controls
Baseline default: Disable
- Download signed ActiveX controls
-
Download unsigned ActiveX controls
Baseline default: Enabled
Learn more- Download unsigned ActiveX controls
Baseline default: Disable
- Download unsigned ActiveX controls
-
Enable dragging of content from different domains across windows
Baseline default: Enabled
Learn more- Enable dragging of content from different domains across windows
Baseline default: Disable
- Enable dragging of content from different domains across windows
-
Enable dragging of content from different domains within a window
Baseline default: Enabled
Learn more- Enable dragging of content from different domains within a window
Baseline default: Disable
- Enable dragging of content from different domains within a window
-
Include local path when user is uploading files to a server
Baseline default: Enabled
Learn more- Include local directory path when uploading files to a server
Baseline default: Disable
- Include local directory path when uploading files to a server
-
Initialize and script ActiveX controls not marked as safe
Baseline default: Enabled
Learn more- Initialize and script ActiveX controls not marked as safe
Baseline default: Disable
- Initialize and script ActiveX controls not marked as safe
-
Java permissions
Baseline default: Enabled
Learn more- Java permissions
Baseline default: Disable Java
- Java permissions
-
Launching applications and files in an IFRAME
Baseline default: Enabled
Learn more- Launching applications and files in an IFRAME
Baseline default: Disable
- Launching applications and files in an IFRAME
-
Logon options
Baseline default: Enabled
Learn more- Logon options
Baseline default: Anonymous logon
- Logon options
-
Navigate windows and frames across different domains
Baseline default: Enabled
Learn more- Navigate windows and frames across different domains
Baseline default: Disable
- Navigate windows and frames across different domains
-
Run .NET Framework-reliant components not signed with Authenticode
Baseline default: Enabled
Learn more- Run .NET Framework-reliant components not signed with Authenticode
Baseline default: Disable
- Run .NET Framework-reliant components not signed with Authenticode
-
Run .NET Framework-reliant components signed with Authenticode
Baseline default: Enabled
Learn more- Run .NET Framework-reliant components signed with Authenticode
Baseline default: Disable
- Run .NET Framework-reliant components signed with Authenticode
-
Run ActiveX controls and plugins
Baseline default: Enabled
Learn more- Run ActiveX controls and plugins
Baseline default: Disable
- Run ActiveX controls and plugins
-
Script ActiveX controls marked safe for scripting
Baseline default: Enabled
Learn more- Script ActiveX controls marked safe for scripting
Baseline default: Disable
- Script ActiveX controls marked safe for scripting
-
Scripting of Java applets
Baseline default: Enabled
Learn more- Scripting of Java applets
Baseline default: Disable
- Scripting of Java applets
-
Show security warning for potentially unsafe files
Baseline default: Enabled
Learn more- Launching programs and unsafe files
Baseline default: Disable
- Launching programs and unsafe files
-
Turn on Cross-Site Scripting Filter
Baseline default: Enabled
Learn more- Turn on Cross-Site Scripting (XSS) Filter
Baseline default: Enabled
- Turn on Cross-Site Scripting (XSS) Filter
-
Turn on Protected Mode
Baseline default: Enabled
Learn more- Protected Mode
Baseline default: Enabled
- Protected Mode
-
Turn on SmartScreen Filter scan
Baseline default: Enabled
Learn more- Use SmartScreen Filter
Baseline default: Enabled
- Use SmartScreen Filter
-
Use Pop-up Blocker
Baseline default: Enabled
Learn more- Use Pop-up Blocker
Baseline default: Enabled
- Use Pop-up Blocker
-
Userdata persistence
Baseline default: Enabled
Learn more- Userdata persistence
Baseline default: Disable
- Userdata persistence
-
Web sites in less privileged Web content zones can navigate into this zone
Baseline default: Enabled
Learn more- Web sites in less privileged Web content zones can navigate into this zone
Baseline default: Disable
- Web sites in less privileged Web content zones can navigate into this zone
Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone
-
Don't run antimalware programs against ActiveX controls
Baseline default: Enabled
Learn more- Don't run antimalware programs against ActiveX controls
Baseline default: Disable
- Don't run antimalware programs against ActiveX controls
-
Initialize and script ActiveX controls not marked as safe
Baseline default: Enabled
Learn more- Initialize and script ActiveX controls not marked as safe
Baseline default: Disable
- Initialize and script ActiveX controls not marked as safe
-
Java permissions
Baseline default: Enabled
Learn more- Java permissions
Baseline default: High safety
- Java permissions
-
Prevent bypassing SmartScreen Filter warnings
Baseline default: Enabled
Learn more -
Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet
Baseline default: Enabled
Learn more -
Prevent managing SmartScreen Filter
Baseline default: Enabled
Learn more- Select SmartScreen Filter mode
Baseline default: On
- Select SmartScreen Filter mode
-
Prevent per-user installation of ActiveX controls
Baseline default: Enabled
Learn more -
Security Zones: Do not allow users to add/delete sites
Baseline default: Enabled
Learn more -
Security Zones: Do not allow users to change policies
Baseline default: Enabled
Learn more -
Security Zones: Use only machine settings
Baseline default: Enabled
Learn more -
Specify use of ActiveX Installer Service for installation of ActiveX controls
Baseline default: Enabled
Learn more -
Turn off Crash Detection
Baseline default: Enabled
Learn more -
Turn off the Security Settings Check feature
Baseline default: Disabled
Learn more -
Turn on the auto-complete feature for user names and passwords on forms (User)
Baseline default: Disabled
Learn more
-
Remove "Run this time" button for outdated ActiveX controls in Internet Explorer
Baseline default: Enabled
Learn more -
Turn off blocking of outdated ActiveX controls for Internet Explorer
Baseline default: Disabled
Learn more
- Allow fallback to SSL 3.0 (Internet Explorer)
Baseline default: Enabled
Learn more- Allow insecure fallback for:
Baseline default: No Sites
- Allow insecure fallback for:
- Internet Explorer Processes
Baseline default: Enabled
Learn more
- Internet Explorer Processes
Baseline default: Enabled
Learn more
- Internet Explorer Processes
Baseline default: Enabled
Learn more
- Internet Explorer Processes
Baseline default: Enabled
Learn more
- Internet Explorer Processes
Baseline default: Enabled
Learn more
- Internet Explorer Processes
Baseline default: Enabled
Learn more
- Internet Explorer Processes
Baseline default: Enabled
Learn more
- Internet Explorer Processes
Baseline default: Enabled
Learn more
- Configure the 'Block at First Sight' feature
Baseline default: Enabled
Learn more
- Turn on process scanning whenever real-time protection is enabled
Baseline default: Enabled
Learn more
- Scan packed executables
Baseline default: Enabled
Learn more
- Turn off routine remediation
Baseline default: Disabled
Learn more
- Do not allow passwords to be saved
Baseline default: Enabled
Learn more
Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection
- Do not allow drive redirection
Baseline default: Enabled
Learn more
-
Always prompt for password upon connection
Baseline default: Enabled
Learn more -
Require secure RPC communication
Baseline default: Enabled
Learn more -
Set client connection encryption level
Baseline default: Enabled
Learn more- Encryption Level
Baseline default: High Level
- Encryption Level
- Prevent downloading of enclosures
Baseline default: Enabled
Learn more
- Sign-in and lock last interactive user automatically after a restart
Baseline default: Disabled
Learn more
- Turn on PowerShell Script Block Logging
Baseline default: Enabled
Learn more- Log script block invocation start / stop events:
Baseline default: False
- Log script block invocation start / stop events:
-
Allow Basic authentication
Baseline default: Disabled
Learn more -
Allow unencrypted traffic
Baseline default: Disabled
Learn more -
Disallow Digest authentication
Baseline default: Enabled
Learn more
-
Allow Basic authentication
Baseline default: Disabled
Learn more -
Allow unencrypted traffic
Baseline default: Disabled
Learn more -
Disallow WinRM from storing RunAs credentials
Baseline default: Enabled
Learn more
-
Account Logon Audit Credential Validation
Baseline default: Success+ Failure
Learn more -
Account Logon Logoff Audit Account Lockout
Baseline default: Failure
Learn more -
Account Logon Logoff Audit Group Membership
Baseline default: Success
Learn more -
Account Logon Logoff Audit Logon
Baseline default: Success+ Failure
Learn more -
Audit Authentication Policy Change
Baseline default: Success
Learn more -
Audit Changes to Audit Policy
Baseline default: Success
Learn more -
Audit File Share Access
Baseline default: Success+ Failure
Learn more -
Audit Other Logon Logoff Events
Baseline default: Success+ Failure
Learn more -
Audit Security Group Management
Baseline default: Success
Learn more -
Audit Security System Extension
Baseline default: Success
Learn more -
Audit Special Logon
Baseline default: Success
Learn more -
Audit User Account Management
Baseline default: Success+ Failure
Learn more -
Detailed Tracking Audit PNP Activity
Baseline default: Success
Learn more -
Detailed Tracking Audit Process Creation
Baseline default: Success
Learn more -
Object Access Audit Detailed File Share
Baseline default: Failure
Learn more -
Object Access Audit Other Object Access Events
Baseline default: Success+ Failure
Learn more -
Object Access Audit Removable Storage
Baseline default: Success+ Failure
Learn more -
Policy Change Audit MPSSVC Rule Level Policy Change
Baseline default: Success+ Failure
Learn more -
Policy Change Audit Other Policy Change Events
Baseline default: Failure
Learn more -
Privilege Use Audit Sensitive Privilege Use
Baseline default: Success
Learn more -
System Audit Other System Events
Baseline default: Success+ Failure
Learn more -
System Audit Security State Change
Baseline default: Success
Learn more -
System Audit System Integrity
Baseline default: Success+ Failure
Learn more
- Allow Direct Memory Access
Baseline default: Block
Learn more
-
Allow Archive Scanning
Baseline default: Allowed. Scans the archive files.
Learn more -
Allow Behavior Monitoring
Baseline default: Allowed. Turns on real-time behavior monitoring.
Learn more -
Allow Cloud Protection
Baseline default: Allowed. Turns on Cloud Protection.
Learn more -
Allow Full Scan Removable Drive Scanning
Baseline default: Allowed. Scans removable drives.
Learn more -
Allow On Access Protection
Baseline default: Allowed.
Learn more -
Allow Realtime Monitoring
Baseline default: Allowed. Turns on and runs the real-time monitoring service.
Learn more -
Allow scanning of all downloaded files and attachments
Baseline default: Allowed.
Learn more -
Allow Script Scanning
Baseline default: Allowed.
Learn more-
Block execution of potentially obfuscated scripts
Baseline default: Block
Learn more -
Block Win32 API calls from Office macros
Baseline default: Block
Learn more -
Block Office communication application from creating child processes
Baseline default: Block
Learn more -
Block all Office applications from creating child processes
Baseline default: Block
Learn more -
Block Adobe Reader from creating child processes
Baseline default: Block
Learn more -
Block credential stealing from the Windows local security authority subsystem
Baseline default: Block
Learn more -
Block JavaScript or VBScript from launching downloaded executable content
Baseline default: Block
Learn more -
Block untrusted and unsigned processes that run from USB
Baseline default: Block
Learn more -
Block Office applications from creating executable content
Baseline default: Block
Learn more -
Block Office applications from injecting code into other processes
Baseline default: Block
Learn more -
Block executable content from email client and webmail
Baseline default: Block
Learn more
-
-
Cloud Block Level
Baseline default: High
Learn more -
Cloud Extended Timeout
Baseline default: Configured
Value: 50
Learn more -
Disable Local Admin Merge
Baseline default: Disable Local Admin Merge
Learn more -
Enable File Hash Computation
Baseline default: Enable
Learn more -
Enable Network Protection
Baseline default: Enabled (block mode)
Learn more -
Hide Exclusions From Local Admins
Baseline default: If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
Learn more -
PUA Protection
Baseline default: PUA Protection on. Detected items are blocked. They will show in history along with other threats.
Learn more -
Real Time Scan Direction
Baseline default: Monitor all files (bi-directional).
Learn more -
Submit Samples Consent
Baseline default: Send all samples automatically.
Learn more
-
Configure System Guard Launch
Baseline default: Unmanaged Enables Secure Launch if supported by hardware
Learn more -
Credential Guard
Baseline default: (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock.
Learn more -
Enable Virtualization Based Security
Baseline default: Enable virtualization based security.
Learn more -
Require Platform Security Features
Baseline default: Turns on VBS with Secure Boot.
Learn more
-
Device Password Enabled
Baseline default: Enabled
Learn more-
Device Password History
Baseline default: Configured
Value: 24
Learn more -
Min Device Password Length
Baseline default: Configured
Value: 14
Learn more
-
- Device Enumeration Policy
Baseline default: Block all (Most restrictive)
Learn more
-
Allow Windows Spotlight (User)
Baseline default: Allow
Learn more-
Allow Windows Consumer Features
Baseline default: Allow
Learn more -
Allow Third Party Suggestions In Windows Spotlight (User)
Baseline default: Block
Learn more
-
-
Enable Domain Network Firewall
Baseline default: True
Learn more-
Enable Log Dropped Packets
Baseline default: Enable Logging Of Dropped Packets
Learn more -
Default Outbound Action
Baseline default: Allow
Learn more -
Disable Inbound Notifications
Baseline default: True
Learn more -
Log Max File Size
Baseline default: Configured
Value: 16384
Learn more -
Default Inbound Action for Domain Profile
Baseline default: Block
Learn more -
Enable Log Success Connections
Baseline default: Enable Logging Of Successful Connections
Learn more
-
-
Enable Private Network Firewall
Baseline default: True
Learn more-
Log Max File Size
Baseline default: Configured
Value: 16384
Learn more -
Default Inbound Action for Private Profile
Baseline default: Block
Learn more -
Enable Log Success Connections
Baseline default: Enable Logging Of Successful Connections
Learn more -
Enable Log Dropped Packets
Baseline default: Enable Logging Of Dropped Packets
Learn more -
Disable Inbound Notifications
Baseline default: True
Learn more -
Default Outbound Action
Baseline default: Allow
Learn more
-
-
Enable Public Network Firewall
Baseline default: True
Learn more-
Enable Log Dropped Packets
Baseline default: Enable Logging Of Dropped Packets
Learn more -
Log Max File Size
Baseline default: Configured
Value: 16384
Learn more -
Default Outbound Action
Baseline default: Allow
Learn more -
Disable Inbound Notifications
Baseline default: True
Learn more -
Allow Local Policy Merge
Baseline default: False
Learn more -
Default Inbound Action for Public Profile
Baseline default: Block
Learn more -
Enable Log Success Connections
Baseline default: Enable Logging Of Successful Connections
Learn more -
Allow Local Ipsec Policy Merge
Baseline default: False
Learn more
-
- Enable Insecure Guest Logons
Baseline default: Disabled
Learn more
- Configure Lsa Protected Process
Baseline default: Enabled with UEFI lock. LSA will run as protected process and this configuration is UEFI locked.
Learn more
-
Allow Game DVR
Baseline default: Block
Learn more -
MSI Allow User Control Over Install
Baseline default: Disabled
Learn more -
MSI Always Install With Elevated Privileges
Baseline default: Disabled
Learn more
-
Default Adobe Flash setting
Baseline default: Disabled -
Default Adobe Flash setting (User)
Baseline default: Disabled -
Minimum TLS version enabled
Baseline default: Enabled- Minimum TLS version enabled (Device)
Baseline default: TlS 1.2
- Minimum TLS version enabled (Device)
-
Minimum TLS version enabled (User)
Baseline default: Enabled- Minimum TLS version enabled (User)
Baseline default: TLS 1.2
- Minimum TLS version enabled (User)
-
Configure Microsoft Defender SmartScreen
Baseline default: Enabled -
Prevent bypassing Microsoft Defender SmartScreen prompts for sites
Baseline default: Enabled
- Let Apps Activate With Voice Above Lock
Baseline default: Force deny. Windows apps cannot be activated by voice while the screen is locked, and users cannot change it.
Learn more
- Allow Indexing Encrypted Stores Or Items
Baseline default: Block
Learn more
-
Enable Smart Screen In Shell
Baseline default: Enabled
Learn more -
Prevent Override For Files In Shell
Baseline default: Enabled
Learn more
-
Notify Malicious
Baseline default: Enabled -
Notify Password Reuse
Baseline default: Enabled -
Notify Unsafe App
Baseline default: Enabled -
Service Enabled
Baseline default: Enabled
-
Access From Network
Baseline default: Configured
Values:*S-1-5-32-544*S-1-5-32-555Learn more
-
Allow Local Log On
Baseline default: Configured
Values:*S-1-5-32-544*S-1-5-32-545Learn more
-
Backup Files And Directories
Baseline default: Configured
Value:*S-1-5-32-544Learn more
-
Create Global Objects
Baseline default: Configured
Values:*S-1-5-32-544*S-1-5-19*S-1-5-20*S-1-5-6Learn more
-
Create Page File
Baseline default: Configured
Value:*S-1-5-32-544Learn more
-
Debug Programs
Baseline default: Configured
Value:*S-1-5-32-544Learn more
-
Deny Access From Network
Baseline default: Configured
Value:*S-1-5-113Learn more
-
Deny Remote Desktop Services Log On
Baseline default: Configured
Value:*S-1-5-113Learn more
-
Impersonate Client
Baseline default: Configured
Values:*S-1-5-32-544*S-1-5-6*S-1-5-19*S-1-5-20Learn more
-
Load Unload Device Drivers
Baseline default: Configured
Value:*S-1-5-32-544Learn more
-
Manage Auditing And Security Log
Baseline default: Configured
Value:*S-1-5-32-544Learn more
-
Manage Volume
Baseline default: Configured
Value:*S-1-5-32-544Learn more
-
Modify Firmware Environment
Baseline default: Configured
Value:*S-1-5-32-544Learn more
-
Profile Single Process
Baseline default: Configured
Value:*S-1-5-32-544Learn more
-
Remote Shutdown
Baseline default: Configured
Value:*S-1-5-32-544Learn more
-
Restore Files And Directories
Baseline default: Configured
Value:*S-1-5-32-544Learn more
-
Take Ownership
Baseline default: Configured
Value:*S-1-5-32-544Learn more
- Hypervisor Enforced Code Integrity
Baseline default: (Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock.
Learn more
- Allow Windows Ink Workspace
Baseline default: Ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.
Learn more
-
Accounts Limit Local Account Use Of Blank Passwords To Console Logon Only
Baseline default: Enabled
Learn more -
Interactive Logon Machine Inactivity Limit
Baseline default: Configured
Value: 900
Learn more -
Interactive Logon Smart Card Removal Behavior
Baseline default: Lock Workstation
Learn more -
Microsoft Network Client Digitally Sign Communications Always
Baseline default: Enable
Learn more -
Microsoft Network Client Send Unencrypted Password To Third Party SMB Servers
Baseline default: Disable
Learn more -
Microsoft Network Server Digitally Sign Communications Always
Baseline default: Enable
Learn more -
Network Access Do Not Allow Anonymous Enumeration Of SAM Accounts
Baseline default: Enabled
Learn more -
Network Access Do Not Allow Anonymous Enumeration Of Sam Accounts And Shares
Baseline default: Enabled
Learn more -
Network Access Restrict Anonymous Access To Named Pipes And Shares
Baseline default Enable
Learn more -
Network Access Restrict Clients Allowed To Make Remote Calls To SAM
Baseline default: Configured
Value: O:BAG:BAD:(A;;RC;;;BA)
Learn more -
Network Security Do Not Store LAN Manager Hash Value On Next Password Change
Baseline default: Enable
Learn more -
Network Security LAN Manager Authentication Level
Baseline default: Send LM and NTLMv2 responses only. Refuse LM and NTLM
Learn more -
Network Security Minimum Session Security For NTLMSSP Based Clients
Baseline default: Require NTLM and 128-bit encryption
Learn more -
Network Security Minimum Session Security For NTLMSSP Based Servers
Baseline default: Require NTLM and 128-bit encryption
Learn more -
User Account Control Behavior Of The Elevation Prompt For Administrators
Baseline default: Prompt for consent on the secure desktop
Learn more -
User Account Control Behavior Of The Elevation Prompt For Standard Users
Baseline default: Automatically deny elevation requests
Learn more -
User Account Control Detect Application Installations And Prompt For Elevation
Baseline default: Enable
Learn more -
User Account Control Only Elevate UI Access Applications That Are Installed In Secure Locations
Baseline default: Enabled: Application runs with UIAccess integrity only if it resides in secure location.
Learn more -
User Account Control Run All Administrators In Admin Approval Mode
Baseline default: Enabled
Learn more -
User Account Control Use Admin Approval Mode
Baseline default: Enable
Learn more -
User Account Control Virtualize File And Registry Write Failures To Per User Locations
Baseline default: Enabled
Learn more ::: zone-end
::: zone pivot="win365-nov21"
-
Voice activate apps from locked screen
Baseline default: Disabled
Learn more -
Block display of toast notifications
Baseline default: Yes
Learn more
- Microsoft accounts optional for Microsoft store apps
Baseline default: Enabled Learn more
-
Block app installations with elevated privileges
Baseline default: Yes
Learn more -
Block user control over installations
Baseline default: Yes
Learn more -
Block game DVR (desktop only)
Baseline default: Yes
Learn more
For general information, see Learn about attack surface reduction rules.
-
Block Office communication apps from creating child processes
Baseline default: Enable
Learn more -
Block Adobe Reader from creating child processes
Baseline default: Enable
Learn more -
Block Office applications from injecting code into other processes
Baseline default: Block
Learn more -
Block Office applications from creating executable content
Baseline default: Block
Learn more -
Block JavaScript or VBScript from launching downloaded executable content
Baseline default: Block
Learn more -
Enable network protection
Baseline default: Enable
Learn more -
Block untrusted and unsigned processes that run from USB
Baseline default: Block
Learn more -
Block credential stealing from the Windows local security authority subsystem (lsass.exe)
Baseline default: Enable
Learn more -
Block all Office applications from creating child processes
Baseline default: Block
Learn more -
Block execution of potentially obfuscated scripts (js/vbs/ps)
Baseline default: Block
Learn more -
Block Win32 API calls from Office macro
Baseline default: Block
Learn more -
Block executable content download from email and webmail clients
Baseline default: Block
Learn more
Audit settings configure the events that are generated for the conditions of the setting.
-
Account Logon Audit Credential Validation (Device)
Baseline default: Success and Failure -
Account Logon Audit Kerberos Authentication Service (Device)
Baseline default: None -
Account Logon Logoff Audit Account Lockout (Device)
Baseline default: Failure -
Account Logon Logoff Audit Group Membership (Device)
Baseline default: Success -
Account Logon Logoff Audit Logon (Device)
Baseline default: Success and Failure -
Audit Other Logon Logoff Events (Device)
Baseline default: Success and Failure -
Audit Special Logon (Device)
Baseline default: Success -
Audit Security Group Management (Device)
Baseline default: Success -
Audit User Account Management (Device)
Baseline default: Success and Failure -
Detailed Tracking Audit PNP Activity (Device)
Baseline default: Success -
Detailed Tracking Audit Process Creation (Device)
Baseline default: Success -
Object Access Audit Detailed File Share (Device)
Baseline default: Failure -
Audit File Share Access (Device)
Baseline default: Success and Failure -
Object Access Audit Other Object Access Events (Device)
Baseline default: Success and Failure -
Object Access Audit Removable Storage (Device)
Baseline default: Success and Failure -
Audit Authentication Policy Change (Device)
Baseline default: Success -
Policy Change Audit MPSSVC Rule Level Policy Change (Device)
Baseline default: Success and Failure -
Policy Change Audit Other Policy Change Events (Device)
Baseline default: Failure -
Audit Changes to Audit Policy (Device)
Baseline default: Success -
Privilege Use Audit Sensitive Privilege Use (Device)
Baseline default: Success and Failure -
System Audit Other System Events (Device)
Baseline default: Success and Failure -
System Audit Security State Change (Device)
Baseline default: Success -
Audit Security System Extension (Device)
Baseline default: Success -
System Audit System Integrity (Device)
Baseline default: Success and Failure
-
Auto play default auto run behavior
Baseline default: Do not execute
Learn more -
Auto play mode
Baseline default: Disabled
Learn more -
Block auto play for non-volume devices
Baseline default: Enabled
Learn more
-
Block Password Manager
Baseline default: Yes
Learn more -
Require SmartScreen for Microsoft Edge Legacy
Baseline default: Yes
Learn more -
Block malicious site
Baseline default: Yes
Learn more -
Block unverified file download
Baseline default: Yes
Learn more -
Prevent user from overriding certificate errors
Baseline default: Yes
Learn more
-
Configure secure access to UNC paths
Baseline default: Configure Windows to only allow access to the specified UNC paths after fulfilling additional security requirements
Learn more- Hardened UNC path list
Not configured by default. Manually add one or more hardened UNC paths.
- Hardened UNC path list
-
Block downloading of print drivers over HTTP
Baseline default: Enabled
Learn more -
Block Internet download for web publishing and online ordering wizards
Baseline default: Enabled
Learn more
- Remote host delegation of non-exportable credentials
Baseline default: Enabled
Learn more
- Enumerate administrators
Baseline default: Disabled
Learn more
-
Virtualization based security
Baseline default: Enable VBS with secure boot -
Enable virtualization based security
Baseline default: Yes
Learn more -
Launch system guard
Baseline default: Enabled -
Turn on Credential Guard
Baseline default: Enable with UEFI lock
Learn more
- Block hardware device installation by setup classes
Baseline default: Yes
Learn more- Remove matching hardware devices
Baseline default: Yes - Block list
Not configured by default. Manually add one or more Identifiers.
- Remove matching hardware devices
- Enumeration of external devices incompatible with Kernel DMA Protection
Baseline default: Block all
-
Application log maximum file size in KB
Baseline default: 32768
Learn more -
System log maximum file size in KB
Baseline default: 32768
Learn more -
Security log maximum file size in KB
Baseline default: 196608
Learn more
- Block Windows Spotlight
Baseline default: Yes
Learn more
-
Block data execution prevention
Baseline default: Disabled
Learn more -
Block heap termination on corruption
Baseline default: Disabled
Learn more
For more information, see 2.2.2 FW_PROFILE_TYPE in the Windows Protocols documentation.
-
Firewall profile domain
Baseline default: Configure
Learn more-
Inbound connections blocked
Baseline default: Yes
Learn more -
Outbound connections required
Baseline default: Yes
Learn more -
Inbound notifications blocked
Baseline default: Yes
Learn more -
Firewall enabled
Baseline default: Allowed
Learn more
-
-
Firewall profile private
Baseline default: Configure
Learn more-
Inbound connections blocked
Baseline default: Yes
Learn more -
Outbound connections required
Baseline default: Yes
Learn more -
Inbound notifications blocked
Baseline default: Yes
Learn more -
Firewall enabled
Baseline default: Allowed
Learn more
-
-
Firewall profile public
Baseline default: Configure
Learn more-
Inbound connections blocked
Baseline default: Yes
Learn more -
Outbound connections required
Baseline default: Yes
Learn more -
Inbound notifications blocked
Baseline default: Yes
Learn more -
Firewall enabled
Baseline default: Allowed
Learn more -
Connection security rules from group policy not merged
Baseline default: Yes
Learn more -
Policy rules from group policy not merged
Baseline default: Yes
Learn more
-
View the full list of Internet Explorer CSPs.
-
Internet Explorer encryption support
Baseline defaults: Two items: TLS v1.1 and TLS v1.2 -
Internet Explorer prevent managing smart screen filter
Baseline default: Enable
Learn more -
Internet Explorer restricted zone script Active X controls marked safe for scripting
Baseline default: Disable
Learn more -
Internet Explorer restricted zone file downloads
Baseline default: Disable
Learn more -
Internet Explorer certificate address mismatch warning
Baseline default: Disable
Learn more -
Internet Explorer enhanced protected mode
Baseline default: Disable
Learn more -
Internet Explorer fallback to SSL3
Baseline default: No sites
Learn more -
Internet Explorer software when signature is invalid
Baseline default: Disable
Learn more -
Internet Explorer check server certificate revocation
Baseline default: Enable
Learn more -
Internet Explorer check signatures on downloaded programs
Baseline default: Enable
Learn more -
Internet Explorer processes consistent MIME handling
Baseline default: Enable
Learn more -
Internet Explorer bypass smart screen warnings
Baseline default: Disable
Learn more -
Internet Explorer bypass smart screen warnings about uncommon files
Baseline default: Disable
Learn more -
Internet Explorer crash detection
Baseline default: Disable
Learn more -
Internet Explorer download enclosures
Baseline default: Disable
Learn more -
Internet Explorer ignore certificate errors
Baseline default: Disable
Learn more -
Internet Explorer disable processes in enhanced protected mode
Baseline default: Enable
Learn more -
Internet Explorer security settings check
Baseline default: Enabled
Learn more -
Internet Explorer Active X controls in protected mode
Baseline default: Disabled
Learn more -
Internet Explorer users adding sites
Baseline default: Disabled
Learn more -
Internet Explorer users changing policies
Baseline default: Disabled
Learn more -
Internet Explorer block outdated Active X controls
Baseline default: Enabled
Learn more -
Internet Explorer include all network paths
Baseline default: Disabled
Learn more -
Internet Explorer internet zone access to data sources
Baseline default: Disable
Learn more -
Internet Explorer internet zone automatic prompt for file downloads
Baseline default: Disabled
Learn more -
Internet Explorer internet zone copy and paste via script
Baseline default: Disable
Learn more -
Internet Explorer internet zone drag and drop or copy and paste files
Baseline default: Disable
Learn more -
Internet Explorer internet zone less privileged sites
Baseline default: Disable
Learn more -
Internet Explorer internet zone loading of XAML files
Baseline default: Disable
Learn more -
Internet Explorer internet zone .NET Framework reliant components
Baseline default: Disable
Learn more -
Internet Explorer internet zone allows only approved domains to use ActiveX controls
Baseline default: Enabled
Learn more -
Internet Explorer internet zone allows only approved domains to use tdc ActiveX controls
Baseline default: Enabled
Learn more -
Internet Explorer internet zone scripting of web browser controls
Baseline default: Disabled
Learn more -
Internet Explorer internet zone script initiated windows
Baseline default: Disabled
Learn more -
Internet Explorer internet zone scriptlets
Baseline default: Disable
Learn more -
Internet Explorer internet zone smart screen
Baseline default: Enabled
Learn more -
Internet Explorer internet zone updates to status bar via script
Baseline default: Disabled
Learn more -
Internet Explorer internet zone user data persistence
Baseline default: Disabled
Learn more -
Internet Explorer internet zone allows VBscript to run
Baseline default: Disable
Learn more -
Internet Explorer internet zone do not run antimalware against ActiveX controls
Baseline default: Disabled
Learn more -
Internet Explorer internet zone download signed ActiveX controls
Baseline default: Disable
Learn more -
Internet Explorer internet zone download unsigned ActiveX controls
Baseline default: Disable
Learn more -
Internet Explorer internet zone cross site scripting filter
Baseline default: Enabled
Learn more -
Internet Explorer internet zone drag content from different domains across windows
Baseline default: Disabled
Learn more -
Internet Explorer internet zone drag content from different domains within windows
Baseline default: Disabled Learn more -
Internet Explorer internet zone protected mode
Baseline default: Enable
Learn more -
Internet Explorer internet zone include local path when uploading files to server
Baseline default: Disabled
Learn more -
Internet Explorer internet zone initialize and script Active X controls not marked as safe
Baseline default: Disable
Learn more -
Internet Explorer internet zone java permissions
Baseline default: Disable java
Learn more -
Internet Explorer internet zone launch applications and files in an iframe
Baseline default: Disable
Learn more -
Internet Explorer internet zone logon options
Baseline default: Prompt
Learn more -
Internet Explorer internet zone navigate windows and frames across different domains
Baseline default: Disable
Learn more -
Internet Explorer internet zone run .NET Framework reliant components signed with Authenticode
Baseline default: Disable
Learn more -
Internet Explorer internet zone security warning for potentially unsafe files
Baseline default: Prompt
Learn more -
Internet Explorer internet zone popup blocker
Baseline default: Enable
Learn more -
Internet Explorer intranet zone do not run antimalware against Active X controls
Baseline default: Disabled
Learn more -
Internet Explorer intranet zone initialize and script Active X controls not marked as safe
Baseline default: Disable
Learn more -
Internet Explorer intranet zone java permissions
Baseline default: High safety
Learn more -
Internet Explorer local machine zone do not run antimalware against Active X controls
Baseline default: Disabled
Learn more -
Internet Explorer local machine zone java permissions
Baseline default: Disable java
Learn more -
Internet Explorer locked down internet zone smart screen
Baseline default: Enabled
Learn more -
Internet Explorer locked down intranet zone java permissions
Baseline default: Disable java
Learn more -
Internet Explorer locked down local machine zone java permissions
Baseline default: Disable java
Learn more -
Internet Explorer locked down restricted zone smart screen
Baseline default: Enabled
Learn more -
Internet Explorer locked down restricted zone java permissions
Baseline default: Disable java
Learn more -
Internet Explorer locked down trusted zone java permissions
Baseline default: Disable java
Learn more -
Internet Explorer processes MIME sniffing safety feature
Baseline default: Enabled
Learn more -
Internet Explorer processes MK protocol security restriction
Baseline default: Enabled
Learn more -
Internet Explorer processes notification bar
Baseline default: Enabled
Learn more -
Internet Explorer prevent per user installation of Active X controls
Baseline default: Enabled
Learn more -
Internet Explorer processes protection from zone elevation
Baseline default: Enabled
Learn more -
Internet Explorer remove run this time button for outdated Active X controls
Baseline default: Enabled
Learn more -
Internet Explorer processes restrict Active X install
Baseline default: Enabled
Learn more -
Internet Explorer restricted zone access to data sources
Baseline default: Disable
Learn more -
Internet Explorer restricted zone active scripting
Baseline default: Disable
Learn more -
Internet Explorer restricted zone automatic prompt for file downloads
Baseline default: Disabled
Learn more -
Internet Explorer restricted zone binary and script behaviors
Baseline default: Disable
Learn more -
Internet Explorer restricted zone copy and paste via script
Baseline default: Disable
Learn more -
Internet Explorer restricted zone drag and drop or copy and paste files
Baseline default: Disable
Learn more -
Internet Explorer restricted zone less privileged sites
Baseline default: Disable
Learn more -
Internet Explorer restricted zone loading of XAML files
Baseline default: Disable
Learn more -
Internet Explorer restricted zone meta refresh
Baseline default: Disabled
Learn more -
Internet Explorer restricted zone .NET Framework reliant components
Baseline default: Disable
Learn more -
Internet Explorer restricted zone allows only approved domains to use Active X controls
Baseline default: Enabled
Learn more -
Internet Explorer restricted zone allows only approved domains to use tdc Active X controls
Baseline default: Enabled
Learn more -
Internet Explorer restricted zone scripting of web browser controls
Baseline default: Disabled
Learn more -
Internet Explorer restricted zone script initiated windows
Baseline default: Disabled
Learn more -
Internet Explorer restricted zone scriptlets
Baseline default: Disabled
Learn more -
Internet Explorer restricted zone smart screen
Baseline default: Enabled
Learn more -
Internet Explorer restricted zone updates to status bar via script
Baseline default: Disabled
Learn more -
Internet Explorer restricted zone user data persistence
Baseline default: Disabled
Learn more -
Internet Explorer restricted zone allows vbscript to run
Baseline default: Disable
Learn more -
Internet Explorer restricted zone do not run antimalware against Active X controls
Baseline default: Disabled
Learn more -
Internet Explorer restricted zone download signed Active X controls
Baseline default: Disable
Learn more -
Internet Explorer restricted zone download unsigned Active X controls
Baseline default: Disable
Learn more -
Internet Explorer restricted zone cross site scripting filter
Baseline default: Enabled
Learn more -
Internet Explorer restricted zone drag content from different domains across windows
Baseline default: Disabled
Learn more -
Internet Explorer restricted zone drag content from different domains within windows
Baseline default: Disabled
Learn more -
Internet Explorer restricted zone include local path when uploading files to server
Baseline default: Disabled
Learn more -
Internet Explorer restricted zone initialize and script Active X controls not marked as safe
Baseline default: Disable
Learn more -
Internet Explorer restricted zone java permissions
Baseline default: Disable java
Learn more -
Internet Explorer restricted zone launch applications and files in an iFrame
Baseline default: Disable
Learn more -
Internet Explorer restricted zone logon options
Baseline default: Anonymous
Learn more -
Internet Explorer restricted zone navigate windows and frames across different domains
Baseline default: Disable
Learn more -
Internet Explorer restricted zone run Active X controls and plugins
Baseline default: Disable
Learn more -
Internet Explorer restricted zone run .NET Framework reliant components signed with Authenticode
Baseline default: Disable
Learn more -
Internet Explorer restricted zone scripting of java applets
Baseline default: Disable
Learn more -
Internet Explorer restricted zone security warning for potentially unsafe files
Baseline default: Disable
Learn more -
Internet Explorer restricted zone protected mode
Baseline default: Enable
Learn more -
Internet Explorer restricted zone popup blocker
Baseline default: Enable
Learn more -
Internet Explorer processes restrict file download
Baseline default: Enabled
Learn more -
Internet Explorer processes scripted window security restrictions
Baseline default: Enabled
Learn more -
Internet Explorer security zones use only machine settings
Baseline default: Enabled
Learn more -
Internet Explorer use Active X installer service
Baseline default: Enabled
Learn more -
Internet Explorer trusted zone do not run antimalware against Active X controls
Baseline default: Disabled
Learn more -
Internet Explorer trusted zone initialize and script Active X controls not marked as safe
Baseline default: Disable
Learn more -
Internet Explorer trusted zone java permissions
Baseline default: High safety
Learn more -
Internet Explorer auto complete
Baseline default: Disabled
Learn more
-
Block remote logon with blank password
Baseline default: Yes
Learn more -
Minutes of lock screen inactivity until screen saver activates
Baseline default: 15
Learn more -
Smart card removal behavior
Baseline default: Lock workstation
Learn more -
Require client to always digitally sign communications
Baseline default: Yes
Learn more -
Prevent clients from sending unencrypted passwords to third party SMB servers
Baseline default: Yes
Learn more -
Require server digitally signing communications always
Baseline default: Yes
Learn more -
Prevent anonymous enumeration of SAM accounts
Baseline default: Yes
Learn more -
Block anonymous enumeration of SAM accounts and shares
Baseline default: Yes
Learn more -
Restrict anonymous access to named pipes and shares
Baseline default: Yes
Learn more -
Allow remote calls to security accounts manager
Baseline default: O:BAG:BAD:(A;;RC;;;BA)
Learn more -
Prevent storing LAN manager hash value on next password change
Baseline default: Yes
Learn more -
Authentication level
Baseline default: Send NTLMv2 response only. Refuse LM and NTLM
Learn more -
Minimum session security for NTLM SSP based clients
Baseline default: Require NTLM V2 and 128 bit encryption
Learn more -
Minimum session security for NTLM SSP based servers
Baseline default: Require NTLM V2 and 128 bit encryption
Learn more -
Administrator elevation prompt behavior
Baseline default: Prompt for consent on the secure desktop
Learn more -
Standard user elevation prompt behavior
Baseline default: Automatically deny elevation requests
Learn more -
Detect application installations and prompt for elevation
Baseline default: Yes
Learn more -
Only allow UI access applications for secure locations
Baseline default: Yes
Learn more -
Require admin approval mode for administrators
Baseline default: Yes
Learn more -
Use admin approval mode
Baseline default: Yes
Learn more -
Virtualize file and registry write failures to per user locations
Baseline default: Yes
Learn more
-
Turn on real-time protection
Baseline default: Yes
Learn more -
Scan scripts that are used in Microsoft browsers
Baseline default: Yes
Learn more -
Additional amount of time (0-50 seconds) to extend cloud protection timeout
Baseline default: 50
Learn more -
Scan all downloaded files and attachments
Baseline default: Yes
Learn more -
Scan type
Baseline default: Quick scan
Learn more -
Defender schedule scan day
Baseline default: Everyday -
Scheduled scan start time
Baseline default: Not configured -
Defender sample submission consent
Baseline default: Send safe samples automatically
Learn more -
Cloud-delivered protection level
Baseline default: High
Learn more -
Scan removable drives during full scan
Baseline default: Yes
Learn more -
Defender potentially unwanted app action
Baseline default: Block
Learn more -
Turn on cloud-delivered protection
Baseline default: Yes
Learn more
Warning
Defining exclusions lowers the protection offered by Microsoft Defender Antivirus. Always evaluate the risks that are associated with implementing exclusions. Only exclude files you know aren't malicious.
For more information, see Exclusions overview in the Microsoft Defender documentation.
-
Defender Processes to exclude
Baseline defaults: Not configured by default. Manually add one or more entries. -
File extensions to exclude from scans and real-time protection
Baseline defaults: Not configured by default. Manually add one or more entries. -
Defender Files And Folders To Exclude
Baseline default: Not configured by default. Manually add one or more entries.
-
Control which extensions cannot be installed
Baseline default: Enabled- Extension IDs the user should be prevented from installing (or * for all)
Baseline default: Not configured by default. Manually add one or more IDs
- Extension IDs the user should be prevented from installing (or * for all)
-
Allow user-level native messaging hosts (installed without admin permissions)
Baseline default: Disabled -
Minimum SSL version enabled
Baseline default: Enabled- Minimum SSL version enabled
Baseline default: TLS 1.2
- Minimum SSL version enabled
-
Allow users to proceed from the SSL warning page
Baseline default: Disabled -
Configure Microsoft Defender SmartScreen
Baseline default: Enabled -
Prevent bypassing Microsoft Defender SmartScreen prompts for sites
Baseline default: Enabled -
Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads
Baseline default: Enabled -
Configure Microsoft Defender SmartScreen to block potentially unwanted apps
Baseline default: Enabled -
Default Adobe Flash setting
Baseline default: Enabled- Default Adobe Flash setting
Baseline default: Block the Adobe Flash plugin
- Default Adobe Flash setting
-
Enable saving passwords to the password manager
Baseline default: Disabled -
Enable site isolation for every site
Baseline default: Enabled -
Supported authentication schemes
Baseline default: Enabled- Supported authentication schemes
Baseline defaults: Two items: NTLM and Negotiate
- Supported authentication schemes
-
SMB v1 client driver start configuration
Baseline default: Disable driver
Learn more -
Apply UAC restrictions to local accounts on network logon
Baseline default: Enabled
Learn more -
Structured exception handling overwrite protection
Baseline default: Enabled
Learn more -
SMB v1 server
Baseline default: Disabled
Learn more -
Digest authentication
Baseline default: Disabled
Learn more
-
Network IPv6 source routing protection level
Baseline default: Highest protection
Learn more -
Network IP source routing protection level
Baseline default: Highest protection
Learn more -
Network ignore NetBIOS name release requests except from WINS servers
Baseline default: Enabled
Learn more -
Network ICMP redirects override OSPF generated routes
Baseline default: Disabled
Learn more
- Remote Assistance solicited
Baseline default: Disable Remote Assistance
Learn more
-
Remote desktop services client connection encryption level
Baseline default: High
Learn more -
Block drive redirection
Baseline default: Enabled -
Block password saving
Baseline default: Enabled
Learn more -
Prompt for password upon connection
Baseline default: Enabled
Learn more -
Secure RPC communication
Baseline default: Enabled
Learn more
-
Block client digest authentication
Baseline default: Enabled
Learn more -
Block storing run as credentials
Baseline default: Enabled
Learn more -
Client basic authentication
Baseline default: Disabled
Learn more -
Basic authentication
Baseline default: Disabled
Learn more -
Client unencrypted traffic
Baseline default: Disabled
Learn more -
Unencrypted traffic
Baseline default: Disabled
Learn more
- RPC unauthenticated client options
Baseline default: Authenticated
Learn more
- Disable indexing encrypted items
Baseline default: Yes
Learn more
-
Turn on Windows SmartScreen
Baseline default: Yes
Learn more -
Block users from ignoring SmartScreen warnings
Baseline default: Yes
Learn more
- System boot start driver initialization
Baseline default: Good unknown and bad critical
Learn more
- Block connection to non-domain networks
Baseline default: Enabled
Learn more
- Ink Workspace
Baseline default: Enabled
Learn more
- PowerShell script block logging
Baseline default: Enabled
Learn more
- Enable tamper protection to prevent Microsoft Defender being disabled
Baseline default: Enable
Learn more
::: zone-end