Edit

List of the settings in the Windows 365 Cloud PC security baseline in Intune

  • Article

This article is a reference for the settings that are available in the Windows 365 Cloud PC security baseline that you can deploy with Microsoft Intune.

For each setting you’ll find the baselines default configuration, which is also the recommended configuration for that setting provided by the relevant security team. Because products and the security landscape evolve, the recommended defaults in one baseline version might not match the defaults you find in later versions of the same baseline. Different baseline types, like the MDM security and the Defender for Endpoint baselines, could also set different defaults.

When the Intune UI includes a Learn more link for a setting, you’ll find that here as well. Use that link to view the settings policy configuration service provider (CSP) or relevant content that explains the settings operation.

When a new version of a baseline becomes available, it replaces the previous version. Profiles instances that you’ve created prior to the availability of a new version:

  • Become read-only. You can continue to use those profiles but can't edit them to change their configuration.
  • Can be updated to the latest version. After you update a profile to the current baseline version, you can edit the profile to modify settings.

To learn more about using security baselines, see Use security baselines. In that article you'll also find information about how to:

Windows 365 Cloud PC security baseline version 2110:

Above Lock

  • Voice activate apps from locked screen:
    Baseline default: Disabled
    Learn more

  • Block display of toast notifications:
    Baseline default: Yes
    Learn more

App Runtime

  • Microsoft accounts optional for Microsoft store apps:
    Baseline default: Enabled
    Learn more

Application management

  • Block app installations with elevated privileges:
    Baseline default: Yes
    Learn more

  • Block user control over installations:
    Baseline default: Yes
    Learn more

  • Block game DVR (desktop only):
    Baseline default: Yes
    Learn more

Attack Surface Reduction Rules

For general information, see Learn about attack surface reduction rules.

  • Block Office communication apps from creating child processes:
    Baseline default: Enable
    Learn more

  • Block Adobe Reader from creating child processes:
    Baseline default: Enable
    Learn more

  • Block Office applications from injecting code into other processes:
    Baseline default: Block
    Learn more

  • Block Office applications from creating executable content:
    Baseline default: Block
    Learn more

  • Block JavaScript or VBScript from launching downloaded executable content:
    Baseline default: Block
    Learn more

  • Enable network protection:
    Baseline default: Enable
    Learn more

  • Block untrusted and unsigned processes that run from USB:
    Baseline default: Block
    Learn more

  • Block credential stealing from the Windows local security authority subsystem (lsass.exe):
    Baseline default: Enable
    Learn more

  • Block all Office applications from creating child processes:
    Baseline default: Block
    Learn more

  • Block execution of potentially obfuscated scripts (js/vbs/ps):
    Baseline default: Block
    Learn more

  • Block Win32 API calls from Office macro:
    Baseline default: Block
    Learn more

  • Block executable content download from email and webmail clients:
    Baseline default: Block
    Learn more

Audit

Audit settings configure the events that are generated for the conditions of the setting.

  • Account Logon Audit Credential Validation (Device):
    Baseline default: Success and Failure

  • Account Logon Audit Kerberos Authentication Service (Device):
    Baseline default: None

  • Account Logon Logoff Audit Account Lockout (Device):
    Baseline default: Failure

  • Account Logon Logoff Audit Group Membership (Device):
    Baseline default: Success

  • Account Logon Logoff Audit Logon (Device):
    Baseline default: Success and Failure

  • Audit Other Logon Logoff Events (Device):
    Baseline default: Success and Failure

  • Audit Special Logon (Device):
    Baseline default: Success

  • Audit Security Group Management (Device):
    Baseline default: Success

  • Audit User Account Management (Device):
    Baseline default: Success and Failure

  • Detailed Tracking Audit PNP Activity (Device):
    Baseline default: Success

  • Detailed Tracking Audit Process Creation (Device):
    Baseline default: Success

  • Object Access Audit Detailed File Share (Device):
    Baseline default: Failure

  • Audit File Share Access (Device):
    Baseline default: Success and Failure

  • Object Access Audit Other Object Access Events (Device):
    Baseline default: Success and Failure

  • Object Access Audit Removable Storage (Device):
    Baseline default: Success and Failure

  • Audit Authentication Policy Change (Device):
    Baseline default: Success

  • Policy Change Audit MPSSVC Rule Level Policy Change (Device):
    Baseline default: Success and Failure

  • Policy Change Audit Other Policy Change Events (Device):
    Baseline default: Failure

  • Audit Changes to Audit Policy (Device):
    Baseline default: Success

  • Privilege Use Audit Sensitive Privilege Use (Device):
    Baseline default: Success and Failure

  • System Audit Other System Events (Device):
    Baseline default: Success and Failure

  • System Audit Security State Change (Device):
    Baseline default: Success

  • Audit Security System Extension (Device):
    Baseline default: Success

  • System Audit System Integrity (Device):
    Baseline default: Success and Failure

Auto Play

  • Auto play default auto run behavior:
    Baseline default: Do not execute
    Learn more

  • Auto play mode:
    Baseline default: Disabled
    Learn more

  • Block auto play for non-volume devices:
    Baseline default: Enabled
    Learn more

Browser

  • Block Password Manager:
    Baseline default: Yes
    Learn more

  • Require SmartScreen for Microsoft Edge Legacy:
    Baseline default: Yes
    Learn more

  • Block malicious site:
    Baseline default: Yes
    Learn more

  • Block unverified file download:
    Baseline default: Yes
    Learn more

  • Prevent user from overriding certificate errors:
    Baseline default: Yes
    Learn more

Connectivity

  • Configure secure access to UNC paths:
    Baseline default: Configure Windows to only allow access to the specified UNC paths after fulfilling additional security requirements
    Learn more

    • Hardened UNC path list:
      Not configured by default. Manually add one or more hardened UNC paths.

  • Block downloading of print drivers over HTTP:
    Baseline default: Enabled
    Learn more

  • Block Internet download for web publishing and online ordering wizards:
    Baseline default: Enabled
    Learn more

Credentials Delegation

  • Remote host delegation of non-exportable credentials:
    Baseline default: Enabled
    Learn more

Credentials UI

  • Enumerate administrators:
    Baseline default: Disabled
    Learn more

Device Guard

  • Virtualization based security:
    Baseline default: Enable VBS with secure boot

  • Enable virtualization based security:
    Baseline default: Yes
    Learn more

  • Launch system guard:
    Baseline default: Enabled

  • Turn on Credential Guard:
    Baseline default: Enable with UEFI lock
    Learn more

Device Installation

  • Block hardware device installation by setup classes
    Baseline default: Yes
    Learn more

    • Remove matching hardware devices
      Baseline default: Yes

    • Block list
      Not configured by default. Manually add one or more Identifiers.

DMA Guard

  • Enumeration of external devices incompatible with Kernel DMA Protection
    Baseline default: Block all

Event Log Service

  • Application log maximum file size in KB
    Baseline default: 32768
    Learn more

  • System log maximum file size in KB
    Baseline default: 32768
    Learn more

  • Security log maximum file size in KB
    Baseline default: 196608
    Learn more

Experience

  • Block Windows Spotlight
    Baseline default: Yes
    Learn more

File Explorer

  • Block data execution prevention
    Baseline default: Disabled
    Learn more

  • Block heap termination on corruption
    Baseline default: Disabled
    Learn more

Firewall

For more information, see 2.2.2 FW_PROFILE_TYPE in the Windows Protocols documentation.

  • Firewall profile domain:
    Baseline default: Configure
    Learn more

    • Inbound connections blocked:
      Baseline default: Yes
      Learn more

    • Outbound connections required:
      Baseline default: Yes
      Learn more

    • Inbound notifications blocked:
      Baseline default: Yes
      Learn more

    • Firewall enabled:
      Baseline default: Allowed
      Learn more

  • Firewall profile private:
    Baseline default: Configure
    Learn more

    • Inbound connections blocked:
      Baseline default: Yes
      Learn more

    • Outbound connections required:
      Baseline default: Yes
      Learn more

    • Inbound notifications blocked:
      Baseline default: Yes
      Learn more

    • Firewall enabled:
      Baseline default: Allowed
      Learn more

  • Firewall profile public:
    Baseline default: Configure
    Learn more

    • Inbound connections blocked:
      Baseline default: Yes
      Learn more

    • Outbound connections required:
      Baseline default: Yes
      Learn more

    • Inbound notifications blocked:
      Baseline default: Yes
      Learn more

    • Firewall enabled:
      Baseline default: Allowed
      Learn more

    • Connection security rules from group policy not merged:
      Baseline default: Yes
      Learn more

    • Policy rules from group policy not merged:
      Baseline default: Yes
      Learn more

Internet Explorer

View the full list of Internet Explorer CSPs.

  • Internet Explorer encryption support
    Baseline defaults: Two items: TLS v1.1 and TLS v1.2

    Learn more

  • Internet Explorer prevent managing smart screen filter
    Baseline default: Enable
    Learn more

  • Internet Explorer restricted zone script Active X controls marked safe for scripting
    Baseline default: Disable
    Learn more

  • Internet Explorer restricted zone file downloads
    Baseline default: Disable
    Learn more

  • Internet Explorer certificate address mismatch warning
    Baseline default: Disable
    Learn more

  • Internet Explorer enhanced protected mode
    Baseline default: Disable
    Learn more

  • Internet Explorer fallback to SSL3
    Baseline default: No sites
    Learn more

  • Internet Explorer software when signature is invalid
    Baseline default: Disable
    Learn more

  • Internet Explorer check server certificate revocation
    Baseline default: Enable
    Learn more

  • Internet Explorer check signatures on downloaded programs
    Baseline default: Enable
    Learn more

  • Internet Explorer processes consistent MIME handling
    Baseline default: Enable
    Learn more

  • Internet Explorer bypass smart screen warnings
    Baseline default: Disable
    Learn more

  • Internet Explorer bypass smart screen warnings about uncommon files
    Baseline default: Disable
    Learn more

  • Internet Explorer crash detection
    Baseline default: Disable
    Learn more

  • Internet Explorer download enclosures
    Baseline default: Disable
    Learn more

  • Internet Explorer ignore certificate errors
    Baseline default: Disable
    Learn more

  • Internet Explorer disable processes in enhanced protected mode
    Baseline default: Enable
    Learn more

  • Internet Explorer security settings check
    Baseline default: Enabled
    Learn more

  • Internet Explorer Active X controls in protected mode
    Baseline default: Disabled
    Learn more

  • Internet Explorer users adding sites
    Baseline default: Disabled
    Learn more

  • Internet Explorer users changing policies
    Baseline default: Disabled
    Learn more

  • Internet Explorer block outdated Active X controls
    Baseline default: Enabled
    Learn more

  • Internet Explorer include all network paths
    Baseline default: Disabled
    Learn more

  • Internet Explorer internet zone access to data sources
    Baseline default: Disable
    Learn more

  • Internet Explorer internet zone automatic prompt for file downloads
    Baseline default: Disabled
    Learn more

  • Internet Explorer internet zone copy and paste via script
    Baseline default: Disable
    Learn more

  • Internet Explorer internet zone drag and drop or copy and paste files
    Baseline default: Disable
    Learn more

  • Internet Explorer internet zone less privileged sites
    Baseline default: Disable
    Learn more

  • Internet Explorer internet zone loading of XAML files
    Baseline default: Disable
    Learn more

  • Internet Explorer internet zone .NET Framework reliant components
    Baseline default: Disable
    Learn more

  • Internet Explorer internet zone allows only approved domains to use ActiveX controls
    Baseline default: Enabled
    Learn more

  • Internet Explorer internet zone allows only approved domains to use tdc ActiveX controls
    Baseline default: Enabled
    Learn more

  • Internet Explorer internet zone scripting of web browser controls
    Baseline default: Disabled
    Learn more

  • Internet Explorer internet zone script initiated windows
    Baseline default: Disabled
    Learn more

  • Internet Explorer internet zone scriptlets
    Baseline default: Disable
    Learn more

  • Internet Explorer internet zone smart screen
    Baseline default: Enabled
    Learn more

  • Internet Explorer internet zone updates to status bar via script
    Baseline default: Disabled
    Learn more

  • Internet Explorer internet zone user data persistence
    Baseline default: Disabled
    Learn more

  • Internet Explorer internet zone allows VBscript to run
    Baseline default: Disable
    Learn more

  • Internet Explorer internet zone do not run antimalware against ActiveX controls
    Baseline default: Disabled
    Learn more

  • Internet Explorer internet zone download signed ActiveX controls
    Baseline default: Disable
    Learn more

  • Internet Explorer internet zone download unsigned ActiveX controls
    Baseline default: Disable
    Learn more

  • Internet Explorer internet zone cross site scripting filter
    Baseline default: Enabled
    Learn more

  • Internet Explorer internet zone drag content from different domains across windows
    Baseline default: Disabled
    Learn more

  • Internet Explorer internet zone drag content from different domains within windows
    Baseline default: Disabled
    Learn more

  • Internet Explorer internet zone protected mode
    Baseline default: Enable
    Learn more

  • Internet Explorer internet zone include local path when uploading files to server
    Baseline default: Disabled
    Learn more

  • Internet Explorer internet zone initialize and script Active X controls not marked as safe
    Baseline default: Disable
    Learn more

  • Internet Explorer internet zone java permissions
    Baseline default: Disable java
    Learn more

  • Internet Explorer internet zone launch applications and files in an iframe
    Baseline default: Disable
    Learn more

  • Internet Explorer internet zone logon options
    Baseline default: Prompt
    Learn more

  • Internet Explorer internet zone navigate windows and frames across different domains
    Baseline default: Disable
    Learn more

  • Internet Explorer internet zone run .NET Framework reliant components signed with Authenticode
    Baseline default: Disable
    Learn more

  • Internet Explorer internet zone security warning for potentially unsafe files
    Baseline default: Prompt
    Learn more

  • Internet Explorer internet zone popup blocker
    Baseline default: Enable
    Learn more

  • Internet Explorer intranet zone do not run antimalware against Active X controls
    Baseline default: Disabled
    Learn more

  • Internet Explorer intranet zone initialize and script Active X controls not marked as safe
    Baseline default: Disable
    Learn more

  • Internet Explorer intranet zone java permissions
    Baseline default: High safety
    Learn more

  • Internet Explorer local machine zone do not run antimalware against Active X controls
    Baseline default: Disabled
    Learn more

  • Internet Explorer local machine zone java permissions
    Baseline default: Disable java
    Learn more

  • Internet Explorer locked down internet zone smart screen
    Baseline default: Enabled
    Learn more

  • Internet Explorer locked down intranet zone java permissions
    Baseline default: Disable java
    Learn more

  • Internet Explorer locked down local machine zone java permissions
    Baseline default: Disable java
    Learn more

  • Internet Explorer locked down restricted zone smart screen
    Baseline default: Enabled
    Learn more

  • Internet Explorer locked down restricted zone java permissions
    Baseline default: Disable java
    Learn more

  • Internet Explorer locked down trusted zone java permissions
    Baseline default: Disable java
    Learn more

  • Internet Explorer processes MIME sniffing safety feature
    Baseline default: Enabled
    Learn more

  • Internet Explorer processes MK protocol security restriction
    Baseline default: Enabled
    Learn more

  • Internet Explorer processes notification bar
    Baseline default: Enabled
    Learn more

  • Internet Explorer prevent per user installation of Active X controls
    Baseline default: Enabled
    Learn more

  • Internet Explorer processes protection from zone elevation
    Baseline default: Enabled
    Learn more

  • Internet Explorer remove run this time button for outdated Active X controls
    Baseline default: Enabled
    Learn more

  • Internet Explorer processes restrict Active X install
    Baseline default: Enabled
    Learn more

  • Internet Explorer restricted zone access to data sources
    Baseline default: Disable
    Learn more

  • Internet Explorer restricted zone active scripting
    Baseline default: Disable
    Learn more

  • Internet Explorer restricted zone automatic prompt for file downloads
    Baseline default: Disabled
    Learn more

  • Internet Explorer restricted zone binary and script behaviors
    Baseline default: Disable
    Learn more

  • Internet Explorer restricted zone copy and paste via script
    Baseline default: Disable
    Learn more

  • Internet Explorer restricted zone drag and drop or copy and paste files
    Baseline default: Disable
    Learn more

  • Internet Explorer restricted zone less privileged sites
    Baseline default: Disable
    Learn more

  • Internet Explorer restricted zone loading of XAML files
    Baseline default: Disable
    Learn more

  • Internet Explorer restricted zone meta refresh
    Baseline default: Disabled
    Learn more

  • Internet Explorer restricted zone .NET Framework reliant components
    Baseline default: Disable
    Learn more

  • Internet Explorer restricted zone allows only approved domains to use Active X controls
    Baseline default: Enabled
    Learn more

  • Internet Explorer restricted zone allows only approved domains to use tdc Active X controls
    Baseline default: Enabled
    Learn more

  • Internet Explorer restricted zone scripting of web browser controls
    Baseline default: Disabled
    Learn more

  • Internet Explorer restricted zone script initiated windows
    Baseline default: Disabled
    Learn more

  • Internet Explorer restricted zone scriptlets
    Baseline default: Disabled
    Learn more

  • Internet Explorer restricted zone smart screen
    Baseline default: Enabled
    Learn more

  • Internet Explorer restricted zone updates to status bar via script
    Baseline default: Disabled
    Learn more

  • Internet Explorer restricted zone user data persistence
    Baseline default: Disabled
    Learn more

  • Internet Explorer restricted zone allows vbscript to run
    Baseline default: Disable
    Learn more

  • Internet Explorer restricted zone do not run antimalware against Active X controls
    Baseline default: Disabled
    Learn more

  • Internet Explorer restricted zone download signed Active X controls
    Baseline default: Disable
    Learn more

  • Internet Explorer restricted zone download unsigned Active X controls
    Baseline default: Disable
    Learn more

  • Internet Explorer restricted zone cross site scripting filter
    Baseline default: Enabled
    Learn more

  • Internet Explorer restricted zone drag content from different domains across windows
    Baseline default: Disabled
    Learn more

  • Internet Explorer restricted zone drag content from different domains within windows
    Baseline default: Disabled
    Learn more

  • Internet Explorer restricted zone include local path when uploading files to server
    Baseline default: Disabled
    Learn more

  • Internet Explorer restricted zone initialize and script Active X controls not marked as safe
    Baseline default: Disable
    Learn more

  • Internet Explorer restricted zone java permissions
    Baseline default: Disable java
    Learn more

  • Internet Explorer restricted zone launch applications and files in an iFrame
    Baseline default: Disable
    Learn more

  • Internet Explorer restricted zone logon options
    Baseline default: Anonymous
    Learn more

  • Internet Explorer restricted zone navigate windows and frames across different domains
    Baseline default: Disable
    Learn more

  • Internet Explorer restricted zone run Active X controls and plugins
    Baseline default: Disable
    Learn more

  • Internet Explorer restricted zone run .NET Framework reliant components signed with Authenticode
    Baseline default: Disable
    Learn more

  • Internet Explorer restricted zone scripting of java applets
    Baseline default: Disable
    Learn more

  • Internet Explorer restricted zone security warning for potentially unsafe files
    Baseline default: Disable
    Learn more

  • Internet Explorer restricted zone protected mode
    Baseline default: Enable
    Learn more

  • Internet Explorer restricted zone popup blocker
    Baseline default: Enable
    Learn more

  • Internet Explorer processes restrict file download
    Baseline default: Enabled
    Learn more

  • Internet Explorer processes scripted window security restrictions
    Baseline default: Enabled
    Learn more

  • Internet Explorer security zones use only machine settings
    Baseline default: Enabled
    Learn more

  • Internet Explorer use Active X installer service
    Baseline default: Enabled
    Learn more

  • Internet Explorer trusted zone do not run antimalware against Active X controls
    Baseline default: Disabled
    Learn more

  • Internet Explorer trusted zone initialize and script Active X controls not marked as safe
    Baseline default: Disable
    Learn more

  • Internet Explorer trusted zone java permissions
    Baseline default: High safety
    Learn more

  • Internet Explorer auto complete
    Baseline default: Disabled
    Learn more

Local Policies Security Options

  • Block remote logon with blank password
    Baseline default: Yes
    Learn more

  • Minutes of lock screen inactivity until screen saver activates
    Baseline default: 15
    Learn more

  • Smart card removal behavior
    Baseline default: Lock workstation
    Learn more

  • Require client to always digitally sign communications
    Baseline default: Yes
    Learn more

  • Prevent clients from sending unencrypted passwords to third party SMB servers
    Baseline default: Yes
    Learn more

  • Require server digitally signing communications always
    Baseline default: Yes
    Learn more

  • Prevent anonymous enumeration of SAM accounts
    Baseline default: Yes
    Learn more

  • Block anonymous enumeration of SAM accounts and shares
    Baseline default: Yes
    Learn more

  • Restrict anonymous access to named pipes and shares
    Baseline default: Yes
    Learn more

  • Allow remote calls to security accounts manager
    Baseline default: O:BAG:BAD:(A;;RC;;;BA)
    Learn more

  • Prevent storing LAN manager hash value on next password change
    Baseline default: Yes
    Learn more

  • Authentication level
    Baseline default: Send NTLMv2 response only. Refuse LM and NTLM
    Learn more

  • Minimum session security for NTLM SSP based clients
    Baseline default: Require NTLM V2 and 128 bit encryption
    Learn more

  • Minimum session security for NTLM SSP based servers
    Baseline default: Require NTLM V2 and 128 bit encryption
    Learn more

  • Administrator elevation prompt behavior
    Baseline default: Prompt for consent on the secure desktop
    Learn more

  • Standard user elevation prompt behavior
    Baseline default: Automatically deny elevation requests
    Learn more

  • Detect application installations and prompt for elevation
    Baseline default: Yes
    Learn more

  • Only allow UI access applications for secure locations
    Baseline default: Yes
    Learn more

  • Require admin approval mode for administrators
    Baseline default: Yes
    Learn more

  • Use admin approval mode
    Baseline default: Yes
    Learn more

  • Virtualize file and registry write failures to per user locations
    Baseline default: Yes
    Learn more

Microsoft Defender

  • Turn on real-time protection
    Baseline default: Yes
    Learn more

  • Scan scripts that are used in Microsoft browsers
    Baseline default: Yes
    Learn more

  • Additional amount of time (0-50 seconds) to extend cloud protection timeout
    Baseline default: 50
    Learn more

  • Scan all downloaded files and attachments
    Baseline default: Yes
    Learn more

  • Scan type
    Baseline default: Quick scan
    Learn more

  • Defender schedule scan day
    Baseline default: Everyday

  • Scheduled scan start time
    Baseline default: Not configured

  • Defender sample submission consent
    Baseline default: Send safe samples automatically
    Learn more

  • Cloud-delivered protection level
    Baseline default: High
    Learn more

  • Scan removable drives during full scan
    Baseline default: Yes
    Learn more

  • Defender potentially unwanted app action
    Baseline default: Block
    Learn more

  • Turn on cloud-delivered protection
    Baseline default: Yes
    Learn more

Microsoft Defender Antivirus Exclusions

  • Defender Processes to exclude
    Baseline defaults: Not configured by default. Manually add one or more entries.

  • File extensions to exclude from scans and real-time protection
    Baseline defaults: Not configured by default. Manually add one or more entries.

  • Defender Files And Folders To Exclude
    Baseline default: Not configured by default. Manually add one or more entries.

Microsoft Edge

  • Control which extensions cannot be installed
    Baseline default: Enabled

    • Extension IDs the user should be prevented from installing (or * for all)
      Baseline default: Not configured by default. Manually add one or more IDs

  • Allow user-level native messaging hosts (installed without admin permissions)
    Baseline default: Disabled

  • Minimum SSL version enabled
    Baseline default: Enabled

    • Minimum SSL version enabled
      Baseline default: TLS 1.2

  • Allow users to proceed from the SSL warning page
    Baseline default: Disabled

  • Configure Microsoft Defender SmartScreen
    Baseline default: Enabled

  • Prevent bypassing Microsoft Defender SmartScreen prompts for sites
    Baseline default: Enabled

  • Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads
    Baseline default: Enabled

  • Configure Microsoft Defender SmartScreen to block potentially unwanted apps
    Baseline default: Enabled

  • Default Adobe Flash setting
    Baseline default: Enabled

    • Default Adobe Flash setting
      Baseline default: Block the Adobe Flash plugin

  • Enable saving passwords to the password manager
    Baseline default: Disabled

  • Enable site isolation for every site
    Baseline default: Enabled

  • Supported authentication schemes
    Baseline default: Enabled

    • Supported authentication schemes
      Baseline defaults: Two items: NTLM and Negotiate

MS Security Guide

  • SMB v1 client driver start configuration
    Baseline default: Disable driver
    Learn more

  • Apply UAC restrictions to local accounts on network logon
    Baseline default: Enabled
    Learn more

  • Structured exception handling overwrite protection
    Baseline default: Enabled
    Learn more

  • SMB v1 server
    Baseline default: Disabled
    Learn more

  • Digest authentication
    Baseline default: Disabled
    Learn more

MSS Legacy

  • Network IPv6 source routing protection level
    Baseline default: Highest protection
    Learn more

  • Network IP source routing protection level
    Baseline default: Highest protection
    Learn more

  • Network ignore NetBIOS name release requests except from WINS servers
    Baseline default: Enabled
    Learn more

  • Network ICMP redirects override OSPF generated routes
    Baseline default: Disabled
    Learn more

Remote Assistance

  • Remote Assistance solicited Baseline default: Disable Remote Assistance
    Learn more

Remote Desktop Services

  • Remote desktop services client connection encryption level
    Baseline default: High
    Learn more

  • Block drive redirection
    Baseline default: Enabled

  • Block password saving
    Baseline default: Enabled
    Learn more

  • Prompt for password upon connection
    Baseline default: Enabled
    Learn more

  • Secure RPC communication
    Baseline default: Enabled
    Learn more

Remote Management

  • Block client digest authentication
    Baseline default: Enabled
    Learn more

  • Block storing run as credentials
    Baseline default: Enabled
    Learn more

  • Client basic authentication
    Baseline default: Disabled
    Learn more

  • Basic authentication
    Baseline default: Disabled
    Learn more

  • Client unencrypted traffic
    Baseline default: Disabled
    Learn more

  • Unencrypted traffic
    Baseline default: Disabled
    Learn more

Remote Procedure Call

  • RPC unauthenticated client options
    Baseline default: Authenticated
    Learn more
  • Disable indexing encrypted items
    Baseline default: Yes
    Learn more

Smart Screen

  • Turn on Windows SmartScreen
    Baseline default: Yes
    Learn more

  • Block users from ignoring SmartScreen warnings
    Baseline default: Yes
    Learn more

System

  • System boot start driver initialization
    Baseline default: Good unknown and bad critical
    Learn more

Windows Connection Manager

  • Block connection to non-domain networks
    Baseline default: Enabled
    Learn more

Windows Ink Workspace

  • Ink Workspace
    Baseline default: Enabled
    Learn more

Windows PowerShell

  • PowerShell script block logging
    Baseline default: Enabled
    Learn more

Windows Security

  • Enable tamper protection to prevent Microsoft Defender being disabled
    Baseline default: Enable
    Learn more