Security baseline for Windows 10 (v1511, "Threshold 2") -- FINAL

Microsoft is pleased to announce the final release of the security configuration baseline settings for Windows 10 version 1511, also known as "November Update," "Build 10586," "Threshold 2," or "TH2." The downloadable attachment to this blog post includes importable GPOs, tools for applying the GPOs to local GPO, custom ADMX files for Group Policy settings, and all the settings in spreadsheet form. We will also be publishing SCM .CAB files for this Windows 10 baseline shortly, and will announce their availability on the Security Guidance blog. (Note that we will not be providing updated SCM .CAB files for the IE11 guidance. For that content, see the attachment on this blog post.)

These are the updates we have made since the draft release in November, following continuing discussions with security experts in Microsoft, the Center for Internet Security, and customers:

  • Enabled "Turn off Microsoft consumer experiences," which is a new setting as of version 1511.
  • Removed configuration of "Allow unicast response" from all three Windows Firewall profiles, as disallowing unicast response regularly causes DHCP address acquisition to fail. The threat it is supposed to protect against is miniscule.
  • Removed the restrictions on the number of cached logons. Cached logon verifiers are difficult to break, particularly on Windows Vista and newer. (The DISA STIG has also removed this restriction.)
  • Removed the screen saver timeout from User configuration, as the computer-wide "Interactive logon: Machine inactivity limit" setting removes that need.
  • Removed all EMET settings from the baseline for the time being. Configuration settings in the upcoming version of EMET will be in a different format from that of the existing EMET 5.5 beta.
  • Removed the configuration setting for "Recovery console: Allow automatic administrative logon." This setting has been obsolete since Windows XP and its removal just got missed until now.

Windows 10 TH2 Security