List of the settings in the Windows 10/11 MDM security baseline in Intune

Article
02/23/2023

This article is a reference for the settings that are available in the different versions of the Windows 10/11 MDM security baseline that you can deploy with Microsoft Intune. You can use the tabs below to select and view the settings in the current baseline version and a few older versions that might still be in use.

For each setting you’ll find the baselines default configuration, which is also the recommended configuration for that setting provided by the relevant security team. Because products and the security landscape evolve, the recommended defaults in one baseline version might not match the defaults you find in later versions of the same baseline. Different baseline types, like the MDM security and the Defender for Endpoint baselines, could also set different defaults.

When the Intune UI includes a Learn more link for a setting, you’ll find that here as well. Use that link to view the settings policy configuration service provider (CSP) or relevant content that explains the settings operation.

When a new version of a baseline becomes available, it replaces the previous version. Profiles instances that you’ve created prior to the availability of a new version:

Become read-only. You can continue to use those profiles but can't edit them to change their configuration.
Can be updated to the latest version. After you update a profile to the current baseline version, you can edit the profile to modify settings.

To learn more about using security baselines, see Use security baselines. In that article you'll also find information about how to:

Change the baseline version for a profile to update a profile to use the latest version of that baseline.

Security Baseline for Windows 10/11 for November 2021

Security Baseline for Windows 10/11 for December 2020

Security Baseline for Windows 10 and later for August 2020

Above Lock

Voice activate apps from locked screen:
Baseline default: Disabled
Learn More
Block display of toast notifications:
Baseline default: Yes
Learn More

App Runtime

Microsoft accounts optional for Microsoft store apps:
Baseline default: Enabled
Learn more

Application Management

Block app installations with elevated privileges:
Baseline default: Yes
Learn more
Block user control over installations:
Baseline default: Yes
Learn more
Block game DVR (desktop only):
Baseline default: Yes
Learn more

Audit

Audit settings configure the events that are generated for the conditions of the setting.

Account Logon Audit Credential Validation (Device):
Baseline default: Success and Failure
Account Logon Audit Kerberos Authentication Service (Device):
Baseline default: None
Account Logon Logoff Audit Account Lockout (Device):
Baseline default: Failure
Account Logon Logoff Audit Group Membership (Device):
Baseline default: Success
Account Logon Logoff Audit Logon (Device):
Baseline default: Success and Failure
Audit Other Logon Logoff Events (Device):
Baseline default: Success and Failure
Audit Special Logon (Device):
Baseline default: Success
Audit Security Group Management (Device):
Baseline default: Success
Audit User Account Management (Device):
Baseline default: Success and Failure
Detailed Tracking Audit PNP Activity (Device):
Baseline default: Success
Detailed Tracking Audit Process Creation (Device):
Baseline default: Success
Object Access Audit Detailed File Share (Device):
Baseline default: Failure
Audit File Share Access (Device):
Baseline default: Success and Failure
Object Access Audit Other Object Access Events (Device):
Baseline default: Success and Failure
Object Access Audit Removable Storage (Device):
Baseline default: Success and Failure
Audit Authentication Policy Change (Device):
Baseline default: Success
Policy Change Audit MPSSVC Rule Level Policy Change (Device):
Baseline default: Success and Failure
Policy Change Audit Other Policy Change Events (Device):
Baseline default: Failure
Audit Changes to Audit Policy (Device):
Baseline default: Success
Privilege Use Audit Sensitive Privilege Use (Device):
Baseline default: Success and Failure
System Audit Other System Events (Device):
Baseline default: Success and Failure
System Audit Security State Change (Device):
Baseline default: Success
Audit Security System Extension (Device):
Baseline default: Success
System Audit System Integrity (Device):
Baseline default: Success and Failure

Auto Play

Auto play default auto run behavior:
Baseline default: Do not execute
Learn more
Auto play mode:
Baseline default: Disabled
Learn more
Block auto play for non-volume devices:
Baseline default: Enabled
Learn more

BitLocker

BitLocker removable drive policy:
Baseline default: Configure
Learn more
- Block write access to removable data-drives not protected by BitLocker:
  Baseline default: Yes
  Learn more

Browser

Block Password Manager:
Baseline default: Yes
Learn more
Require SmartScreen for Microsoft Edge Legacy:
Baseline default: Yes
Learn more
Block malicious site access:
Baseline default: Yes
Learn more
Block unverified file download:
Baseline default: Yes
Learn more
Prevent user from overriding certificate errors:
Baseline default: Yes
Learn more

Connectivity

Configure secure access to UNC paths:
Baseline default: Configure Windows to only allow access to the specified UNC paths after fulfilling additional security requirements
Learn more
- Hardened UNC path list:
  Baseline default: Not configured by default. Manually add one or more hardened UNC paths.
Block downloading of print drivers over HTTP:
Baseline default: Enabled
Learn more
Block Internet download for web publishing and online ordering wizards:
Baseline default: Enabled
Learn more

Credentials Delegation

Remote host delegation of non-exportable credentials:
Baseline default: Enabled
Learn more

Credentials UI

Enumerate administrators:
Baseline default: Disabled
Learn more

Data Protection

Block direct memory access:
Baseline default: Yes
Learn more

Device Guard

Virtualization based security:
Baseline default: Enable VBS with secure boot
Enable virtualization based security:
Baseline default: Yes
Learn more
Launch system guard:
Baseline default: Enabled
Turn on credential guard:
Baseline default: Enable with UEFI lock
Learn more

Device Installation

Block hardware device installation by setup classes:
Baseline default: Yes
Learn more
- Remove matching hardware devices:
  Baseline default: Yes
- Block list:
  Baseline default: Not configured by default. Manually add one or more Identifiers.

Hardware device installation by device identifiers:
Baseline default: Block hardware device installation
Learn more
- Remove matching hardware devices:
  Baseline default: Yes
- Hardware device identifiers that are blocked:
  Baseline default: Yes
Hardware device installation by setup classes:
Baseline default: Block hardware device installation
Learn more
- Remove matching hardware devices:
  Baseline default: No default configuration
- Hardware device identifiers that are blocked:
  Baseline default: No default configuration

Device Lock

Require password:
Baseline default: Yes
Learn more
- Required password:
  Baseline default: Alphanumeric
  Learn more
- Password expiration (days):
  Baseline default: 60
  Learn more
- Password minimum character set count:
  Baseline default: 3
  Learn more
- Prevent reuse of previous passwords:
  Baseline default: 24
  Learn more
- Minimum password length:
  Baseline default: 8
  Learn more
- Number of sign-in failures before wiping device:
  Baseline default: 10
  Learn more
- Block simple passwords:
  Baseline default: Yes
  Learn more
Password minimum age in days:
Baseline default: 1
Learn more
Prevent use of camera:
Baseline default: Enabled
Learn more
Prevent slide show:
Baseline default: Enabled
Learn more

DMA Guard

Enumeration of external devices incompatible with Kernel DMA Protection:
Baseline default: Block all

Event Log Service

Application log maximum file size in KB:
Baseline default: 32768
Learn more
System log maximum file size in KB:
Baseline default: 32768
Learn more
Security log maximum file size in KB:
Baseline default: 196608
Learn more

Experience

Block Windows Spotlight:
Baseline default: Yes
Learn more
- Block third-party suggestions in Windows Spotlight:
  Baseline default: Not configured
  Learn more
- Block consumer specific features:
  Baseline default: Not configured
  Learn more

Exploit Guard

Upload XML:
Baseline default: Sample xml is provided
Learn more

File Explorer

Block data execution prevention:
Baseline default: Disabled
Learn more
Block heap termination on corruption:
Baseline default: Disabled
Learn more

Firewall

For more information, see 2.2.2 FW_PROFILE_TYPE in the Windows Protocols documentation.

Firewall profile domain:
Baseline default: Configure
Learn more
- Inbound connections blocked:
  Baseline default: Yes
  Learn more
- Outbound connections required:
  Baseline default: Yes
  Learn more
- Inbound notifications blocked:
  Baseline default: Yes
  Learn more
- Firewall enabled:
  Baseline default: Allowed
  Learn more
Firewall profile private:
Baseline default: Configure
Learn more
- Inbound connections blocked:
  Baseline default: Yes
  Learn more
- Outbound connections required:
  Baseline default: Yes
  Learn more
- Inbound notifications blocked:
  Baseline default: Yes
  Learn more
- Firewall enabled:
  Baseline default: Allowed
  Learn more
Firewall profile public:
Baseline default: Configure
Learn more
- Inbound connections blocked:
  Baseline default: Yes
  Learn more
- Outbound connections required:
  Baseline default: Yes
  Learn more
- Inbound notifications blocked:
  Baseline default: Yes
  Learn more
- Firewall enabled:
  Baseline default: Allowed
  Learn more
- Connection security rules from group policy not merged:
  Baseline default: Yes
  Learn more
- Policy rules from group policy not merged:
  Baseline default: Yes
  Learn more

Internet Explorer

Internet Explorer encryption support:
Baseline default: Two items: TLS v1.1 and TLS v1.2
Learn more
Internet Explorer prevent managing smart screen filter:
Baseline default: Enable
Learn more
Internet Explorer restricted zone script Active X controls marked safe for scripting:
Baseline default: Disable
Learn more
Internet Explorer restricted zone file downloads:
Baseline default: Disable
Learn more
Internet Explorer certificate address mismatch warning:
Baseline default: Enabled
Learn more
Internet Explorer enhanced protected mode:
Baseline default: Enabled
Learn more
Internet Explorer fallback to SSL3:
Baseline default: No sites
Learn more
Internet Explorer software when signature is invalid:
Baseline default: Disabled
Learn more
Internet Explorer check server certificate revocation:
Baseline default: Enabled
Learn more
Internet Explorer check signatures on downloaded programs:
Baseline default: Enabled
Learn more
Internet Explorer processes consistent MIME handling:
Baseline default: Enable
Learn more
Internet Explorer bypass smart screen warnings:
Baseline default: Disabled
Learn more
Internet Explorer bypass smart screen warnings about uncommon files:
Baseline default: Disable
Learn more
Internet Explorer crash detection:
Baseline default: Disabled
Learn more
Internet Explorer download enclosures:
Baseline default: Disabled
Learn more
Internet Explorer ignore certificate errors:
Baseline default: Disabled
Learn more
Internet Explorer disable processes in enhanced protected mode:
Baseline default: Enabled
Learn more
Internet Explorer security settings check:
Baseline default: Enabled
Learn more
Internet Explorer Active X controls in protected mode:
Baseline default: Disabled
Learn more
Internet Explorer users adding sites:
Baseline default: Disabled
Learn more
Internet Explorer users changing policies:
Baseline default: Disabled
Learn more
Internet Explorer block outdated Active X controls:
Baseline default: Enabled
Learn more
Internet Explorer include all network paths:
Baseline default: Disabled
Learn more
Internet Explorer internet zone access to data sources:
Baseline default: Disabled
Learn more
Internet Explorer internet zone automatic prompt for file downloads:
Baseline default: Disabled
Learn more
Internet Explorer internet zone copy and paste via script:
Baseline default: Disable
Learn more
Internet Explorer internet zone drag and drop or copy and paste files:
Baseline default: Disabled.
Learn more
Internet Explorer internet zone less privileged sites:
Baseline default: Disable
Learn more
Internet Explorer internet zone loading of XAML files:
Baseline default: Disable
Learn more
Internet Explorer internet zone .NET Framework reliant components:
Baseline default: Disabled
Learn more
Internet Explorer internet zone allow only approved domains to use ActiveX controls:
Baseline default: Enabled
Learn more
Internet Explorer internet zone allow only approved domains to use tdc ActiveX controls:
Baseline default: Enabled
Learn more
Internet Explorer internet zone scripting of web browser controls:
Baseline default: Disabled
Learn more
Internet Explorer internet zone script initiated windows:
Baseline default: Disabled
Learn more
Internet Explorer internet zone scriptlets:
Baseline default: Disable
Learn more
Internet Explorer internet zone smart screen:
Baseline default: Enabled
Learn more
Internet Explorer internet zone updates to status bar via script:
Baseline default: Disabled
Learn more
Internet Explorer internet zone user data persistence:
Baseline default: Disabled
Learn more
Internet Explorer internet zone allow VBscript to run:
Baseline default: Disable
Learn more
Internet Explorer internet zone do not run antimalware against ActiveX controls:
Baseline default: Disabled
Learn more
Internet Explorer internet zone download signed ActiveX controls:
Baseline default: DisableBaseline default: Disable
Learn more
Internet Explorer internet zone download unsigned ActiveX controls:
Baseline default: Disable
Learn more
Internet Explorer internet zone cross site scripting filter:
Baseline default: Enabled
Learn more
Internet Explorer internet zone drag content from different domains across windows:
Baseline default: Disabled
Learn more
Internet Explorer internet zone drag content from different domains within windows:
Baseline default: Disabled
Learn more
Internet Explorer internet zone protected mode:
Baseline default: Enable
Learn more
Internet Explorer internet zone include local path when uploading files to server:
Baseline default: Disabled
Learn more
Internet Explorer internet zone initialize and script Active X controls not marked as safe:
Baseline default: Disable
Learn more
Internet Explorer internet zone java permissions:
Baseline default: Disable java
Learn more
Internet Explorer internet zone launch applications and files in an iframe:
Baseline default: Disable
Learn more
Internet Explorer internet zone logon options:
Baseline default: Prompt
Learn more
Internet Explorer internet zone navigate windows and frames across different domains:
Baseline default: Disable
Learn more
Internet Explorer internet zone run .NET Framework reliant components signed with Authenticode:
Baseline default: Disable
Learn more
Internet Explorer internet zone security warning for potentially unsafe files:
Baseline default: Prompt
Learn more
Internet Explorer internet zone popup blocker:
Baseline default: Enable
Learn more
Internet Explorer intranet zone do not run antimalware against Active X controls:
Baseline default: Disabled
Learn more
Internet Explorer intranet zone initialize and script Active X controls not marked as safe:
Baseline default: Disable
Learn more
Internet Explorer intranet zone java permissions:
Baseline default: High safety
Learn more
Internet Explorer local machine zone do not run antimalware against Active X controls:
Baseline default: Disabled
Learn more
Internet Explorer local machine zone java permissions:
TBaseline default: Disable java
Learn more
Internet Explorer locked down internet zone smart screen:
Baseline default: Enabled.
Learn more
Internet Explorer locked down intranet zone java permissions:
Baseline default: Disable java
Learn more
Internet Explorer locked down local machine zone java permissions:
Baseline default: Disable java
Learn more
Internet Explorer locked down restricted zone smart screen:
Baseline default: Enabled
Learn more
Internet Explorer locked down restricted zone java permissions:
Baseline default: Disable Java
Learn more
Internet Explorer locked down trusted zone java permissions:
Baseline default: Disable java
Learn more
Internet Explorer processes MIME sniffing safety feature:
Baseline default: Enable
Learn more
Internet Explorer processes MK protocol security restriction:
Baseline default: Enabled
Learn more
Internet Explorer processes notification bar:
Baseline default: Enabled
Learn more
Internet Explorer prevent per user installation of Active X controls:
Baseline default: Enabled
Learn more
Internet Explorer processes protection from zone elevation:
Baseline default: Enabled
Learn more
Internet Explorer remove run this time button for outdated Active X controls:
Baseline default: Enabled
Learn more
Internet Explorer processes restrict Active X install:
Baseline default: Enabled
Learn more
Internet Explorer restricted zone access to data sources:
Baseline default: Disable
Learn more
Internet Explorer restricted zone active scripting:
Baseline default: Disable
Learn more
Internet Explorer restricted zone automatic prompt for file downloads:
Baseline default: Disabled
Learn more
Internet Explorer restricted zone binary and script behaviors:
Baseline default: Disable
Learn more
Internet Explorer restricted zone copy and paste via script:
Baseline default: Disable
Learn more
Internet Explorer restricted zone drag and drop or copy and paste files:
Baseline default: Disable
Learn more
Internet Explorer restricted zone less privileged sites:
Baseline default: Disabled
Learn more
Internet Explorer restricted zone loading of XAML files:
Baseline default: Disable
Learn more
Internet Explorer restricted zone meta refresh:
Baseline default: Disabled
Learn more
Internet Explorer restricted zone .NET Framework reliant components:
Baseline default: Disabled
Learn more
Internet Explorer restricted zone allow only approved domains to use Active X controls:
Baseline default: Enabled
Learn more
Internet Explorer restricted zone allow only approved domains to use tdc Active X controls:
Baseline default: Enabled
Learn more
Internet Explorer restricted zone scripting of web browser controls:
Baseline default: Disabled
Learn more
Internet Explorer restricted zone script initiated windows:
Baseline default: Disabled
Learn more
Internet Explorer restricted zone scriptlets:
Baseline default: Disabled
Learn more
Internet Explorer restricted zone smart screen:
Baseline default: Enabled
Learn more
Internet Explorer restricted zone updates to status bar via script:
Baseline default: Disabled
Learn more
Internet Explorer restricted zone user data persistence:
Baseline default: Disabled
Learn more
Internet Explorer restricted zone allow vbscript to run:
Baseline default: Disable
Learn more
Internet Explorer restricted zone do not run antimalware against Active X controls:
Baseline default: Disabled
Learn more
Internet Explorer restricted zone download signed Active X controls:
Baseline default: Disable
Learn more
Internet Explorer restricted zone download unsigned Active X controls:
Baseline default: Disable
Learn more
Internet Explorer restricted zone cross site scripting filter:
Baseline default: Enabled
Learn more
Internet Explorer restricted zone drag content from different domains across windows:
Baseline default: Disabled
Learn more
Internet Explorer restricted zone drag content from different domains within windows:
Baseline default: Disabled
Learn more
Internet Explorer restricted zone include local path when uploading files to server:
Baseline default: Disabled
Learn more
Internet Explorer restricted zone initialize and script Active X controls not marked as safe:
Baseline default: Disable
Learn more
Internet Explorer restricted zone java permissions:
Baseline default: Disable java
Learn more
Internet Explorer restricted zone launch applications and files in an iFrame:
Baseline default: Disable
Learn more
Internet Explorer restricted zone logon options:
Baseline default: Anonymous
Learn more
Internet Explorer restricted zone navigate windows and frames across different domains:
Baseline default: Disable
Learn more
Internet Explorer restricted zone run Active X controls and plugins:
Baseline default: Disable.
Learn more
Internet Explorer restricted zone run .NET Framework reliant components signed with Authenticode:
Baseline default: Disable
Learn more
Internet Explorer restricted zone scripting of java applets:
Baseline default: Disable
Learn more
Internet Explorer restricted zone security warning for potentially unsafe files:
Baseline default: Disable
Learn more
Internet Explorer restricted zone protected mode:
Baseline default: Enable
Learn more
Internet Explorer restricted zone popup blocker:
Baseline default: Enable
Learn more
Internet Explorer processes restrict file download:
Baseline default: Enabled
Learn more
Internet Explorer processes scripted window security restrictions:
Baseline default: Enabled
Learn more
Internet Explorer security zones use only machine settings:
Baseline default: Enabled
Learn more
Internet Explorer use Active X installer service:
Baseline default: Enabled
Learn more
Internet Explorer trusted zone do not run antimalware against Active X controls:
Baseline default: Disabled
Learn more
Internet Explorer trusted zone initialize and script Active X controls not marked as safe:
Baseline default: Disable
Learn more
Internet Explorer trusted zone java permissions:
Baseline default: High safety
Learn more
Internet Explorer auto complete:
Baseline default: Disabled
Learn more

Local Policies Security Options

Block remote logon with blank password:
Baseline default: Yes
Learn more
Minutes of lock screen inactivity until screen saver activates:
Baseline default: 15
Learn more
Smart card removal behavior:
Baseline default: Lock workstation
Learn more
Require client to always digitally sign communications:
Baseline default: Yes
Learn more
Prevent clients from sending unencrypted passwords to third party SMB servers:
Baseline default: Yes
Learn more
Require server digitally signing communications always:
Baseline default: Yes
Learn more
Prevent anonymous enumeration of SAM accounts:
Baseline default: Yes
Learn more
Block anonymous enumeration of SAM accounts and shares:
Baseline default: Yes
Learn more
Restrict anonymous access to named pipes and shares:
Baseline default: Yes
Learn more
Allow remote calls to security accounts manager:
Baseline default: O:BAG:BAD:(A;;RC;;;BA)
Learn more
Prevent storing LAN manager hash value on next password change:
Baseline default: Yes
Learn more
Authentication level:
Baseline default: Send NTLMv2 response only. Refuse LM and NTLM
Learn more
Minimum session security for NTLM SSP based clients:
Baseline default: Require NTLM V2 128 encryption
Learn more
Minimum session security for NTLM SSP based servers:
Baseline default: Require NTLM V2 and 128 bit encryption
Learn more
Administrator elevation prompt behavior:
Baseline default: Prompt for consent on the secure desktop
Learn more
Standard user elevation prompt behavior:
Baseline default: Automatically deny elevation requests
Learn more
Detect application installations and prompt for elevation:
Baseline default: Yes
Learn more
Only allow UI access applications for secure locations:
Baseline default: Yes
Learn more
Require admin approval mode for administrators:
Baseline default: Yes
Learn more
Use admin approval mode:
Baseline default: Yes
Learn more
Virtualize file and registry write failures to per user locations:
Baseline default: Yes
Learn more

Microsoft Defender

Block Adobe Reader from creating child processes:
Baseline default: Enable
Learn more
Block Office communication apps launch in a child process:
Baseline default: Enable
Learn more
Enter how often (0-24 hours) to check for security intelligence updates
Baseline default: 4
Learn more
Scan type
Baseline default: Quick scan
Learn more
Defender schedule scan day:
Baseline default: Everyday
Defender scan start time:
Baseline default: Not configured
Cloud-delivered protection level:
Baseline default: Not Configured
Learn more
Scan network files:
Baseline default: Yes
Learn more
Turn on real-time protection
Baseline default: Yes
Learn more
Scan scripts that are used in Microsoft browsers
Baseline default: Yes
Learn more
Scan archive files:
Baseline default: Yes
Learn more
Turn on behavior monitoring:
Baseline default: Yes
Learn more
Turn on cloud-delivered protection:
Baseline default: Yes
Learn more
Scan incoming mail messages:
Baseline default: Yes
Learn more
Scan removable drives during a full scan:
Baseline default: Yes
Learn more
Block Office applications from injecting code into other processes:
Baseline default: Block
Learn more
Block Office applications from creating executable content
Baseline default: Block
Learn more
Block all Office applications from creating child processes
Baseline default: Block
Learn more
Block Win32 API calls from Office macro:
Baseline default: Block
Learn more
Block execution of potentially obfuscated scripts (js/vbs/ps):
Baseline default: Block
Learn more
Block JavaScript or VBScript from launching downloaded executable content:
Baseline default: Block
Learn more
Block executable content download from email and webmail clients:
Baseline default: Block
Learn more
Block credential stealing from the Windows local security authority subsystem (lsass.exe):
Baseline default: Enable
Learn more
Defender potentially unwanted app action:
Baseline default: Block
Learn more
Block untrusted and unsigned processes that run from USB:
Baseline default: Block
Learn more
Enable network protection:
Baseline default: Enable
Learn more
Defender sample submission consent type:
Baseline default: Send safe samples automatically
Learn more

Block Adobe Reader from creating child processes:
Baseline default: Enable
Learn more
Block Office communication apps launch in a child process:
Baseline default: Enable
Learn more
Enter how often (0-24 hours) to check for security intelligence updates
Baseline default: 4
Learn more
Scan type
Baseline default: Quick scan
Learn more
Defender schedule scan day:
Baseline default: Everyday
Cloud-delivered protection level:
Baseline default: Not Configured
Learn more
Scan network files:
Baseline default: Yes
Learn more
Turn on real-time protection
Baseline default: Yes
Learn more
Scan scripts that are used in Microsoft browsers
Baseline default: Yes
Learn more
Scan archive files:
Baseline default: Yes
Learn more
Turn on behavior monitoring:
Baseline default: Yes
Learn more
Turn on cloud-delivered protection:
Baseline default: Yes
Learn more
Scan incoming mail messages:
Baseline default: Yes
Learn more
Scan removable drives during a full scan:
Baseline default: Yes
Learn more
Block Office applications from injecting code into other processes:
Baseline default: Block
Learn more
Block Office applications from creating executable content
Baseline default: Block
Learn more
Block all Office applications from creating child processes
Baseline default: Block
Learn more
Block Win32 API calls from Office macro:
Baseline default: Block
Learn more
Block execution of potentially obfuscated scripts (js/vbs/ps):
Baseline default: Block
Learn more
Block JavaScript or VBScript from launching downloaded executable content:
Baseline default: Block
Learn more
Block executable content download from email and webmail clients:
Baseline default: Block
Learn more
Block credential stealing from the Windows local security authority subsystem (lsass.exe):
Baseline default: Enable
Learn more
Defender potentially unwanted app action:
Baseline default: Block
Learn more
Block untrusted and unsigned processes that run from USB:
Baseline default: Block
Learn more
Enable network protection:
Baseline default: Enable
Learn more
Defender sample submission consent type:
Baseline default: Send safe samples automatically
Learn more

MS Security Guide

SMB v1 client driver start configuration:
Baseline default: Disabled driver
Learn more
Apply UAC restrictions to local accounts on network logon:
Baseline default: Enabled
Learn more
Structured exception handling overwrite protection:
Baseline default: Enabled
Learn more
SMB v1 server:
Baseline default: Disabled
Learn more
Digest authentication:
Baseline default: Disabled
Learn more

MSS Legacy

Network IPv6 source routing protection level:
Baseline default: Highest protection
Learn more
Network IP source routing protection level:
Baseline default: Highest protection
Learn more
Network ignore NetBIOS name release requests except from WINS servers:
Baseline default: Enabled
Learn more
Network ICMP redirects override OSPF generated routes:
Baseline default: Disabled
Learn more

Power

Require password on wake while on battery:
Baseline default: Enabled
Learn more
Require password on wake while plugged in:
Baseline default: Enabled
Learn more
Standby states when sleeping while on battery:
Baseline default: Disabled
Learn more
Standby states when sleeping while plugged in:
Baseline default: Disabled
Learn more

Remote Assistance

Remote Assistance solicited:
Baseline default: Disable Remote Assistance
Learn more

Remote Desktop Services

Remote desktop services client connection encryption level:
Baseline default: High
Learn more
Block drive redirection:
Baseline default: Enabled
Block password saving:
Baseline default: Enabled
Learn more
Prompt for password upon connection:
Baseline default: Enabled
Learn more
Secure RPC communication:
Baseline default: Enabled
Learn more

Remote Management

Block client digest authentication:
Baseline default: Enabled
Learn more
Block storing run as credentials:
Baseline default: Enabled
Learn more
Client basic authentication:
Baseline default: Disabled
Learn more
Basic authentication:
Baseline default: Disabled
Learn more
Client unencrypted traffic:
Baseline default: Disabled
Learn more
Unencrypted traffic:
Baseline default: Disabled
Learn more

Remote Procedure Call

RPC unauthenticated client options:
Baseline default: Authenticated
Learn more

Search

Disable indexing encrypted items:
Baseline default: Yes
Learn more

Smart Screen

Turn on Windows SmartScreen
Baseline default: Yes
Learn more
Block users from ignoring SmartScreen warnings
Baseline default: Yes
Learn more

System

System boot start driver initialization:
Baseline default: Good unknown and bad critical
Learn more

Wi-Fi

Block Automatically connecting to Wi-Fi hotspots:
Baseline default: Yes
Learn more
Block Internet sharing:
Baseline default: Yes
Learn more

Windows Connection Manager

Block connection to non-domain networks:
Baseline default: Enabled
Learn more