List of the settings in the Windows 365 Cloud PC security baseline in Intune

מאמר
07/22/2024

This article is a reference for the settings that are available in the Windows 365 Cloud PC security baseline that you can deploy with Microsoft Intune.

For each setting we list the baselines default configuration, which is also the recommended configuration for that setting provided by the relevant security team. Because products and the security landscape evolve, the recommended defaults in one baseline version might not match the defaults you find in later versions of the same baseline. Different baseline types, like the MDM security and the Defender for Endpoint baselines, could also set different defaults.

When the Intune UI includes a Learn more link for a setting, we include that here as well. Use that link to view the settings policy configuration service provider (CSP) or relevant content that explains the settings operation.

When a new version of a baseline becomes available, it replaces the previous version. Profiles instances that you’ve created prior to the availability of a new version:

Become read-only. You can continue to use those profiles but can't edit them to change their configuration.
Can be updated to the latest version. After you update a profile to the current baseline version, you can edit the profile to modify settings.

To learn more about using security baselines, see:

Windows 365 Cloud PC security baseline version 24H1:

The settings in this baseline apply to Windows devices managed through Intune. When available, the setting name links to the source Configuration Service Provider (CSP), and then displays that settings default configuration in the baseline.

Administrative Templates

Control Panel > Personalization

Prevent enabling lock screen camera
Baseline default: Enabled
Learn more
Prevent enabling lock screen slide show
Baseline default: Enabled
Learn more

MS Security Guide

Apply UAC restrictions to local accounts on network logons
Baseline default: Enabled
Learn more
Configure SMB v1 client driver
Baseline default: Enabled
Learn more
- Configure MrxSmb10 driver
  Baseline default: Disable driver (recommended)
Configure SMB v1 server
Baseline default: Disabled
Learn more
Enable Structured Exception Handling Overwrite Protection (SEHOP)
Baseline default: Enabled
Learn more
WDigest Authentication (disabling may require KB2871997)
Baseline default: Disabled
Learn more

MSS (Legacy)

MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)
Baseline default: Enabled
Learn more
- DisableIPSourceRouting IPv6 (Device)
  Baseline default: Highest protection, source routing is completely disabled
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)
Baseline default: Enabled
Learn more
- DisableIPSourceRouting (Device)
  Baseline default: Enabled Highest protection, source routing is completely disabled
MSS: (EnableCMPRedirect) Allow ICMP redirects to override OSPF generated routes
Baseline default: Disabled
Learn more
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers
Baseline default: Enabled
Learn more

Network > DNS Client

Turn off multicast name resolution
Baseline default: Enabled
Learn more

Network > Network Connections

Prohibit use of Internet Connection Sharing on your DNS domain network
Baseline default: Enabled
Learn more

Network > Network Provider

Hardened UNC Paths
Baseline default: Enabled
Learn more
- Hardened UNC Paths: (Device)
  Baseline defaults:
  
  Name Value
  
  \\*\SYSVOL RequireMutualAuthentication=1,RequireIntegrity=1
  
  \\*\NETLOGON RequireMutualAuthentication=1,RequireIntegrity=1

Name	Value
`\\*\SYSVOL`	RequireMutualAuthentication=1,RequireIntegrity=1
`\\*\NETLOGON`	RequireMutualAuthentication=1,RequireIntegrity=1

Network > Windows Connection Manager

Prohibit connection to non-domain networks when connected to domain authenticated network
Baseline default: Enabled
Learn more

Turn off toast notifications on the lock screen (User)
Baseline default: Enabled
Learn more

System > Credentials Delegation

Encryption Oracle Remediation
Baseline default: Enabled
Learn more
- Protection Level: (Device)
  Baseline default: Force Updated Clients
Remote host allows delegation of non-exportable credentials
Baseline default: Enabled
Learn more

System > Device Installation > Device Installation Restrictions

Prevent installation of devices using drivers that match these device setup classes
Baseline default: Enabled
Learn more
- Also apply to matching devices that are already installed
  Baseline default: True
- Prevented Classes
  Baseline default: {d48179be-ec20-11d1-b6b8-00c04fa372a7}

System > Early Launch Antimalware

Boot-Start Driver Initialization Policy
Baseline default: Enabled
Learn more
- Choose the boot-start drivers that can be initialized:
  Baseline default: Good, unknown and bad but critical

System > Group Policy

Configure registry policy processing
Baseline default: Enabled
Learn more
- Do not apply during periodic background processing (Device)
  Baseline default: False
- Process even if the Group Policy objects have not changed (Device)
  Baseline default: True

System > Internet Communication Management > Internet Communication settings

Turn off downloading of print drivers
Baseline default: Enabled
Learn more
Turn off Internet download for Web publishing and online ordering wizards
Baseline default: Enabled
Learn more

System > Power Management > Sleep Settings

Allow standby states (S1-S3) when sleeping (on battery)
Baseline default: Disabled
Learn more
Allow standby states (S1-S3) when sleeping (plugged in)
Baseline default: Disabled
Learn more
Require a password when a computer wakes (on battery)
Baseline default: Enabled
Learn more
Require a password when a computer wakes (plugged in)
Baseline default: Enabled
Learn more

System > Remote Assistance

Configure Solicited Remote Assistance
Baseline default: Disabled
Learn more

System > Remote Procedure Call

Restrict Unauthenticated RPC clients
Baseline default: Enabled
Learn more
- RPC Runtime Unauthenticated Client Restriction to Apply:
  Baseline default: Authenticated

Windows Components > App runtime

Allow Microsoft accounts to be optional
Baseline default: Enabled
Learn more

Windows Components > AutoPlay Policies

Disallow Autoplay for non-volume devices
Baseline default: Enabled
Learn more
Set the default behavior for AutoRun
Baseline default: Enabled
Learn more
- Default AutoRun Behavior
  Baseline default: Do not execute any autorun commands
Turn off Autoplay
Baseline default: Enabled
Learn more
- Turn off Autoplay on:
  Baseline default: All drives

Windows Components > BitLocker Drive Encryption > Fixed Data Drives

Note

The default configuration of the following setting will apply to all managed Windows 365 PCs as Windows 365 PC’s do no support use of BitLocker as an encryption option. For more information, see Data encryption in Windows 365 in the Windows Security documentation.

Deny write access to fixed drives not protected by BitLocker
Baseline default: Disabled
Learn more

Windows Components > BitLocker Drive Encryption > Removable Data Drives

Note

Deny write access to removable drives not protected by BitLocker
Baseline default: Enabled
Learn more
- Do not allow write access to devices configured in another organization
  Baseline default: False

Windows Components > Credential User Interface

Enumerate administrator accounts on elevation
Baseline default: Disabled
Learn more

Windows Components > Event Log Service > Application

Specify the maximum log file size (KB)
Baseline default: Enabled
Learn more
- Maximum Log Size (KB)
  Baseline default: 32768

Windows Components > Event Log Service > Security

Specify the maximum log file size (KB)
Baseline default: Enabled
Learn more
- Maximum Log Size (KB)
  Baseline default: 196608

Windows Components > Event Log Service > System

Specify the maximum log file size (KB)
Baseline default: Enabled
Learn more
- Maximum Log Size (KB)
  Baseline default: 32768

Windows Components > File Explorer

Configure Windows Defender SmartScreen
Baseline default: Enabled
Learn more
- Pick one of the following settings: (Device)
  Baseline default: Warn and prevent bypass
Turn off Data Execution Prevention for Explorer
Baseline default: Disabled
Learn more
Turn off heap termination on corruption
Baseline default: Disabled
Learn more

Windows Components > Internet Explorer > Internet Control Panel > Advanced Page

Allow software to run or install even if the signature is invalid
Baseline default: Disabled
Learn more
Check for server certificate revocation
Baseline default: Enabled
Learn more
Check for signatures on downloaded programs
Baseline default: Enabled
Learn more
Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled
Baseline default: Enabled
Learn more
Turn off encryption support
Baseline default: Enabled
Learn more
- Secure Protocol combinations
  Baseline default: Use TLS 1.1 and TLS 1.2
Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows
Baseline default: Enabled
Learn more
Turn on Enhanced Protected Mode
Baseline default: Enabled
Learn more

Windows Components > Internet Explorer > Internet Control Panel

Prevent ignoring certificate errors
Baseline default: Enabled
Learn more

Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone

Access data sources across domains
Baseline default: Enabled
Learn more
- Access data sources across domains
  Baseline default: Disable
Allow cut, copy or paste operations from the clipboard via script
Baseline default: Enabled
Learn more
- Allow paste operations via script
  Baseline default: Disable
Allow drag and drop or copy and paste files
Baseline default: Enabled
Learn more
- Allow drag and drop or copy and paste files
  Baseline default: Disable
Allow loading of XAML files
Baseline default: Enabled
Learn more
- XAML Files
  Baseline default: Disable
Allow only approved domains to use ActiveX controls without prompt
Baseline default: Enabled
Learn more
- Only allow approved domains to use ActiveX controls without prompt
  Baseline default: Enable
Allow only approved domains to use the TDC ActiveX control
Baseline default: Enabled
Learn more
- Only allow approved domains to use the TDC ActiveX control
  Baseline default: Enable
Allow script-initiated windows without size or position constraints
Baseline default: Enabled
Learn more
- Allow script-initiated windows without size or position constraints
  Baseline default: Disable
Allow scripting of Internet Explorer WebBrowser controls
Baseline default: Enabled
Learn more
- Internet Explorer web browser control
  Baseline default: Disable
Allow scriptlets
Baseline default: Enabled
Learn more
- Scriptlets
  Baseline default: Disable
Allow updates to status bar via script
Baseline default: Enabled
Learn more
- Status bar updates via script
  Baseline default: Disable
Allow VBScript to run in Internet Explorer
Baseline default: Enabled
Learn more
- Allow VBScript to run in Internet Explorer
  Baseline default: Disable
Automatic prompting for file downloads
Baseline default: Enabled
Learn more
- Automatic prompting for file downloads
  Baseline default: Disable
Don't run antimalware programs against ActiveX controls
Baseline default: Enabled
Learn more
- Don't run antimalware programs against ActiveX controls
  Baseline default: Disable
Download signed ActiveX controls
Baseline default: Enabled
Learn more
- Download signed ActiveX controls
  Baseline default: Disable
Download unsigned ActiveX controls
Baseline default: Enabled
Learn more
- Download unsigned ActiveX controls
  Baseline default: Disable
Enable dragging of content from different domains across windows
Baseline default: Enabled
Learn more
- Enable dragging of content from different domains across windows
  Baseline default: Disable
Enable dragging of content from different domains within a window
Baseline default: Enabled
Learn more
- Enable dragging of content from different domains within a window
  Baseline default: Disable
Include local path when user is uploading files to a server
Baseline default: Enabled
Learn more
- Include local directory path when uploading files to a server
  Baseline default: Disable
Initialize and script ActiveX controls not marked as safe
Baseline default: Enabled
Learn more
- Initialize and script ActiveX controls not marked as safe
  Baseline default: Disable
Java permissions
Baseline default: Enabled
Learn more
- Java permissions
  Baseline default: Disable Java
Launching applications and files in an IFRAME
Baseline default: Enabled
Learn more
- Launching applications and files in an IFRAME
  Baseline default: Disable
Logon options
Baseline default: Enabled
Learn more
- Logon options
  Baseline default: Prompt for user name and password
Navigate windows and frames across different domains
Baseline default: Enabled
Learn more
- Navigate windows and frames across different domains
  Baseline default: Disable
Run .NET Framework-reliant components not signed with Authenticode
Baseline default: Enabled
Learn more
- Run .NET Framework-reliant components not signed with Authenticode
  Baseline default: Disable
Run .NET Framework-reliant components signed with Authenticode
Baseline default: Enabled
Learn more
- Run .NET Framework-reliant components signed with Authenticode
  Baseline default: Disable
Show security warning for potentially unsafe files
Baseline default: Enabled
Learn more
- Launching programs and unsafe files
  Baseline default: Prompt
Turn on Cross-Site Scripting Filter
Baseline default: Enabled
Learn more
- Turn on Cross-Site Scripting (XSS) Filter
  Baseline default: Enable
Turn on Protected Mode
Baseline default: Enabled
Learn more
- Protected Mode
  Baseline default: Enable
Turn on SmartScreen Filter scan
Baseline default: Enabled
Learn more
- Use SmartScreen Filter
  Baseline default: Enable
Use Pop-up Blocker
Baseline default: Enabled
Learn more
- Use Pop-up Blocker
  Baseline default: Enable
Userdata persistence
Baseline default: Enabled
Learn more
- Userdata persistence
  Baseline default: Disable
Web sites in less privileged Web content zones can navigate into this zone
Baseline default: Enabled
Learn more
- Web sites in less privileged Web content zones can navigate into this zone
  Baseline default: Disable

Windows Components > Internet Explorer > Internet Control Panel > Security Page

Intranet Sites: Include all network paths (UNCs)
Baseline default: Disabled
Learn more
Turn on certificate address mismatch warning
Baseline default: Enabled
Learn more

Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone

Don't run antimalware programs against ActiveX controls
Baseline default: Enabled
Learn more
- Don't run antimalware programs against ActiveX controls
  Baseline default: Disable
Initialize and script ActiveX controls not marked as safe
Baseline default: Enabled
Learn more
- Initialize and script ActiveX controls not marked as safe
  Baseline default: Disable
Java permissions
Baseline default: Enabled
Learn more
- Java permissions
  Baseline default: High safety

Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone

Don't run antimalware programs against ActiveX controls
Baseline default: Enabled
Learn more
- Don't run antimalware programs against ActiveX controls
  Baseline default: Disable
Java permissions
Baseline default: Enabled
Learn more
- Java permissions
  Baseline default: Disable Java

Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone

Turn on SmartScreen Filter scan
Baseline default: Enabled
Learn more
- Use SmartScreen Filter
  Baseline default: Enable

Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone

Java permissions
Baseline default: Enabled
Learn more
- Java permissions
  Baseline default: Disable Java

Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone

Java permissions
Baseline default: Enabled
Learn more
- Java permissions
  Baseline default: Disable Java

Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone

Java permissions
Baseline default: Enabled
Learn more
- Java permissions
  Baseline default: Disable Java
Turn on SmartScreen Filter scan
Baseline default: Enabled
Learn more
- Use SmartScreen Filter
  Baseline default: Enable

Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone

Java permissions
Baseline default: Enabled
Learn more
- Java permissions
  Baseline default: Disable Java

Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone

Access data sources across domains
Baseline default: Enabled
Learn more
- Access data sources across domains
  Baseline default: Disable
Allow active scripting
Baseline default: Enabled
Learn more
- Allow active scripting
  Baseline default: Disable
Allow binary and script behaviors
Baseline default: Enabled
Learn more
- Allow binary and script behaviors
  Baseline default: Disable
Allow cut, copy or paste operations from the clipboard via script
Baseline default: Enabled
Learn more
- Allow paste operations via script
  Baseline default: Disable
Allow drag and drop or copy and paste files
Baseline default: Enabled
Learn more
- Allow drag and drop or copy and paste files
  Baseline default: Disable
Allow file downloads
Baseline default: Enabled
Learn more
- Allow file downloads
  Baseline default: Disable
Allow loading of XAML files
Baseline default: Enabled
Learn more
- XAML Files
  Baseline default: Disable
Allow META REFRESH
Baseline default: Enabled
Learn more
- Allow META REFRESH
  Baseline default: Disable
Allow only approved domains to use ActiveX controls without prompt
Baseline default: Enabled
Learn more
- Only allow approved domains to use ActiveX controls without prompt
  Baseline default: Enable
Allow only approved domains to use the TDC ActiveX control
Baseline default: Enabled
Learn more
- Only allow approved domains to use the TDC ActiveX control
  Baseline default: Enable
Allow script-initiated windows without size or position constraints
Baseline default: Enabled
Learn more
- Allow script-initiated windows without size or position constraints
  Baseline default: Disable
Allow scripting of Internet Explorer WebBrowser controls
Baseline default: Enabled
Learn more
- Internet Explorer web browser control
  Baseline default: Disable
Allow scriptlets
Baseline default: Enabled
Learn more
- Scriptlets
  Baseline default: Disable
Allow updates to status bar via script
Baseline default: Enabled
Learn more
- Status bar updates via script
  Baseline default: Disable
Allow VBScript to run in Internet Explorer
Baseline default: Enabled
Learn more
- Allow VBScript to run in Internet Explorer
  Baseline default: Disable
Automatic prompting for file downloads
Baseline default: Enabled
Learn more
- Automatic prompting for file downloads
  Baseline default: Disable
Don't run antimalware programs against ActiveX controls
Baseline default: Enabled
Learn more
- Don't run antimalware programs against ActiveX controls
  Baseline default: Disable
Download signed ActiveX controls
Baseline default: Enabled
Learn more
- Download signed ActiveX controls
  Baseline default: Disable
Download unsigned ActiveX controls
Baseline default: Enabled
Learn more
- Download unsigned ActiveX controls
  Baseline default: Disable
Enable dragging of content from different domains across windows
Baseline default: Enabled
Learn more
- Enable dragging of content from different domains across windows
  Baseline default: Disable
Enable dragging of content from different domains within a window
Baseline default: Enabled
Learn more
- Enable dragging of content from different domains within a window
  Baseline default: Disable
Include local path when user is uploading files to a server
Baseline default: Enabled
Learn more
- Include local directory path when uploading files to a server
  Baseline default: Disable
Initialize and script ActiveX controls not marked as safe
Baseline default: Enabled
Learn more
- Initialize and script ActiveX controls not marked as safe
  Baseline default: Disable
Java permissions
Baseline default: Enabled
Learn more
- Java permissions
  Baseline default: Disable Java
Launching applications and files in an IFRAME
Baseline default: Enabled
Learn more
- Launching applications and files in an IFRAME
  Baseline default: Disable
Logon options
Baseline default: Enabled
Learn more
- Logon options
  Baseline default: Anonymous logon
Navigate windows and frames across different domains
Baseline default: Enabled
Learn more
- Navigate windows and frames across different domains
  Baseline default: Disable
Run .NET Framework-reliant components not signed with Authenticode
Baseline default: Enabled
Learn more
- Run .NET Framework-reliant components not signed with Authenticode
  Baseline default: Disable
Run .NET Framework-reliant components signed with Authenticode
Baseline default: Enabled
Learn more
- Run .NET Framework-reliant components signed with Authenticode
  Baseline default: Disable
Run ActiveX controls and plugins
Baseline default: Enabled
Learn more
- Run ActiveX controls and plugins
  Baseline default: Disable
Script ActiveX controls marked safe for scripting
Baseline default: Enabled
Learn more
- Script ActiveX controls marked safe for scripting
  Baseline default: Disable
Scripting of Java applets
Baseline default: Enabled
Learn more
- Scripting of Java applets
  Baseline default: Disable
Show security warning for potentially unsafe files
Baseline default: Enabled
Learn more
- Launching programs and unsafe files
  Baseline default: Disable
Turn on Cross-Site Scripting Filter
Baseline default: Enabled
Learn more
- Turn on Cross-Site Scripting (XSS) Filter
  Baseline default: Enabled
Turn on Protected Mode
Baseline default: Enabled
Learn more
- Protected Mode
  Baseline default: Enabled
Turn on SmartScreen Filter scan
Baseline default: Enabled
Learn more
- Use SmartScreen Filter
  Baseline default: Enabled
Use Pop-up Blocker
Baseline default: Enabled
Learn more
- Use Pop-up Blocker
  Baseline default: Enabled
Userdata persistence
Baseline default: Enabled
Learn more
- Userdata persistence
  Baseline default: Disable
Web sites in less privileged Web content zones can navigate into this zone
Baseline default: Enabled
Learn more
- Web sites in less privileged Web content zones can navigate into this zone
  Baseline default: Disable

Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone

Don't run antimalware programs against ActiveX controls
Baseline default: Enabled
Learn more
- Don't run antimalware programs against ActiveX controls
  Baseline default: Disable
Initialize and script ActiveX controls not marked as safe
Baseline default: Enabled
Learn more
- Initialize and script ActiveX controls not marked as safe
  Baseline default: Disable
Java permissions
Baseline default: Enabled
Learn more
- Java permissions
  Baseline default: High safety

Windows Components > Internet Explorer

Prevent bypassing SmartScreen Filter warnings
Baseline default: Enabled
Learn more
Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet
Baseline default: Enabled
Learn more
Prevent managing SmartScreen Filter
Baseline default: Enabled
Learn more
- Select SmartScreen Filter mode
  Baseline default: On
Prevent per-user installation of ActiveX controls
Baseline default: Enabled
Learn more
Security Zones: Do not allow users to add/delete sites
Baseline default: Enabled
Learn more
Security Zones: Do not allow users to change policies
Baseline default: Enabled
Learn more
Security Zones: Use only machine settings
Baseline default: Enabled
Learn more
Specify use of ActiveX Installer Service for installation of ActiveX controls
Baseline default: Enabled
Learn more
Turn off Crash Detection
Baseline default: Enabled
Learn more
Turn off the Security Settings Check feature
Baseline default: Disabled
Learn more
Turn on the auto-complete feature for user names and passwords on forms (User)
Baseline default: Disabled
Learn more

Windows Components > Internet Explorer > Security Features > Add-on Management

Remove "Run this time" button for outdated ActiveX controls in Internet Explorer
Baseline default: Enabled
Learn more
Turn off blocking of outdated ActiveX controls for Internet Explorer
Baseline default: Disabled
Learn more

Windows Components > Internet Explorer > Security Features

Allow fallback to SSL 3.0 (Internet Explorer)
Baseline default: Enabled
Learn more
- Allow insecure fallback for:
  Baseline default: No Sites

Windows Components > Internet Explorer > Security Features > Consistent Mime Handling

Internet Explorer Processes
Baseline default: Enabled
Learn more

Windows Components > Internet Explorer > Security Features > Mime Sniffing Safety Feature

Internet Explorer Processes
Baseline default: Enabled
Learn more

Windows Components > Internet Explorer > Security Features > MK Protocol Security Restriction

Internet Explorer Processes
Baseline default: Enabled
Learn more

Windows Components > Internet Explorer > Security Features > Notification bar

Internet Explorer Processes
Baseline default: Enabled
Learn more

Windows Components > Internet Explorer > Security Features > Protection From Zone Elevation

Internet Explorer Processes
Baseline default: Enabled
Learn more

Windows Components > Internet Explorer > Security Features > Restrict ActiveX Install

Internet Explorer Processes
Baseline default: Enabled
Learn more

Windows Components > Internet Explorer > Security Features > Restrict File Download

Internet Explorer Processes
Baseline default: Enabled
Learn more

Windows Components > Internet Explorer > Security Features > Scripted Window Security Restrictions

Internet Explorer Processes
Baseline default: Enabled
Learn more

Windows Components > Microsoft Defender Antivirus > MAPS

Configure the 'Block at First Sight' feature
Baseline default: Enabled
Learn more

Windows Components > Microsoft Defender Antivirus > Real-time Protection

Turn on process scanning whenever real-time protection is enabled
Baseline default: Enabled
Learn more

Windows Components > Microsoft Defender Antivirus > Scan

Scan packed executables
Baseline default: Enabled
Learn more

Windows Components > Microsoft Defender Antivirus

Turn off routine remediation
Baseline default: Disabled
Learn more

Windows Components > Remote Desktop Services > Remote Desktop Connection Client

Do not allow passwords to be saved
Baseline default: Enabled
Learn more

Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection

Do not allow drive redirection
Baseline default: Enabled
Learn more

Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security

Always prompt for password upon connection
Baseline default: Enabled
Learn more
Require secure RPC communication
Baseline default: Enabled
Learn more
Set client connection encryption level
Baseline default: Enabled
Learn more
- Encryption Level
  Baseline default: High Level

Windows Components > RSS Feeds

Prevent downloading of enclosures
Baseline default: Enabled
Learn more

Windows Components > Windows Logon Options

Sign-in and lock last interactive user automatically after a restart
Baseline default: Disabled
Learn more

Windows Components > Windows PowerShell

Turn on PowerShell Script Block Logging
Baseline default: Enabled
Learn more
- Log script block invocation start / stop events:
  Baseline default: False

Windows Components > Windows Remote Management (WinRM) > WinRM Client

Allow Basic authentication
Baseline default: Disabled
Learn more
Allow unencrypted traffic
Baseline default: Disabled
Learn more
Disallow Digest authentication
Baseline default: Enabled
Learn more

Windows Components > Windows Remote Management (WinRM) > WinRM Service

Allow Basic authentication
Baseline default: Disabled
Learn more
Allow unencrypted traffic
Baseline default: Disabled
Learn more
Disallow WinRM from storing RunAs credentials
Baseline default: Enabled
Learn more

Auditing

Account Logon Audit Credential Validation
Baseline default: Success+ Failure
Learn more
Account Logon Logoff Audit Account Lockout
Baseline default: Failure
Learn more
Account Logon Logoff Audit Group Membership
Baseline default: Success
Learn more
Account Logon Logoff Audit Logon
Baseline default: Success+ Failure
Learn more
Audit Authentication Policy Change
Baseline default: Success
Learn more
Audit Changes to Audit Policy
Baseline default: Success
Learn more
Audit File Share Access
Baseline default: Success+ Failure
Learn more
Audit Other Logon Logoff Events
Baseline default: Success+ Failure
Learn more
Audit Security Group Management
Baseline default: Success
Learn more
Audit Security System Extension
Baseline default: Success
Learn more
Audit Special Logon
Baseline default: Success
Learn more
Audit User Account Management
Baseline default: Success+ Failure
Learn more
Detailed Tracking Audit PNP Activity
Baseline default: Success
Learn more
Detailed Tracking Audit Process Creation
Baseline default: Success
Learn more
Object Access Audit Detailed File Share
Baseline default: Failure
Learn more
Object Access Audit Other Object Access Events
Baseline default: Success+ Failure
Learn more
Object Access Audit Removable Storage
Baseline default: Success+ Failure
Learn more
Policy Change Audit MPSSVC Rule Level Policy Change
Baseline default: Success+ Failure
Learn more
Policy Change Audit Other Policy Change Events
Baseline default: Failure
Learn more
Privilege Use Audit Sensitive Privilege Use
Baseline default: Success
Learn more
System Audit Other System Events
Baseline default: Success+ Failure
Learn more
System Audit Security State Change
Baseline default: Success
Learn more
System Audit System Integrity
Baseline default: Success+ Failure
Learn more

Browser

Allow Password Manager
Baseline default: Block
Learn more
Allow Smart Screen
Baseline default: Allow
Learn more
Prevent Cert Error Overrides
Baseline default: Enabled
Learn more
Prevent Smart Screen Prompt Override
Baseline default: Enabled
Learn more
Prevent Smart Screen Prompt Override For Files
Baseline default: Enabled
Learn more

Data Protection

Allow Direct Memory Access
Baseline default: Block
Learn more

Defender

Allow Archive Scanning
Baseline default: Allowed. Scans the archive files.
Learn more
Allow Behavior Monitoring
Baseline default: Allowed. Turns on real-time behavior monitoring.
Learn more
Allow Cloud Protection
Baseline default: Allowed. Turns on Cloud Protection.
Learn more
Allow Full Scan Removable Drive Scanning
Baseline default: Allowed. Scans removable drives.
Learn more
Allow On Access Protection
Baseline default: Allowed.
Learn more
Allow Realtime Monitoring
Baseline default: Allowed. Turns on and runs the real-time monitoring service.
Learn more
Allow scanning of all downloaded files and attachments
Baseline default: Allowed.
Learn more
Allow Script Scanning
Baseline default: Allowed.
Learn more
- Block execution of potentially obfuscated scripts
  Baseline default: Block
  Learn more
- Block Win32 API calls from Office macros
  Baseline default: Block
  Learn more
- Block Office communication application from creating child processes
  Baseline default: Block
  Learn more
- Block all Office applications from creating child processes
  Baseline default: Block
  Learn more
- Block JavaScript or VBScript from launching downloaded executable content
  Baseline default: Block
  Learn more
- Block untrusted and unsigned processes that run from USB
  Baseline default: Block
  Learn more
- Block Adobe Reader from creating child processes
  Baseline default: Block
  Learn more
- Block credential stealing from the Windows local security authority subsystem
  Baseline default: Block
  Learn more
- Block Office applications from creating executable content
  Baseline default: Block
  Learn more
- Block Office applications from injecting code into other processes
  Baseline default: Block
  Learn more
- Block executable content from email client and webmail
  Baseline default: Block
  Learn more
Cloud Block Level
Baseline default: High
Learn more
Cloud Extended Timeout
Baseline default: Configured
Value: 50
Learn more
Disable Local Admin Merge
Baseline default: Disable Local Admin Merge
Learn more
Enable File Hash Computation
Baseline default: Enable Learn more
Enable Network Protection
Baseline default: Enabled (block mode)
Learn more
Hide Exclusions From Local Admins
Baseline default: If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
Learn more
PUA Protection
Baseline default: PUA Protection on. Detected items are blocked. They will show in history along with other threats.
Learn more
Real Time Scan Direction
Baseline default: Monitor all files (bi-directional).
Learn more
Submit Samples Consent
Baseline default: Send all samples automatically.
Learn more

Device Guard

Configure System Guard Launch
Baseline default: Unmanaged Enables Secure Launch if supported by hardware
Learn more
Credential Guard
Baseline default: (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock.
Learn more
Enable Virtualization Based Security
Baseline default: Enable virtualization based security.
Learn more
Require Platform Security Features
Baseline default: Turns on VBS with Secure Boot.
Learn more

Device Lock

Device Password Enabled
Baseline default: Enabled
Learn more
- Device Password History
  Baseline default: Configured
  Value: 24
  Learn more
- Min Device Password Length
  Baseline default: Configured
  Value: 14
  Learn more

Dma Guard

Device Enumeration Policy
Baseline default: Block all (Most restrictive)
Learn more

Experience

Allow Windows Spotlight (User)
Baseline default: Allow
Learn more
- Allow Windows Consumer Features
  Baseline default: Allow
  Learn more
- Allow Third Party Suggestions In Windows Spotlight (User)
  Baseline default: Block
  Learn more

Firewall

Enable Domain Network Firewall
Baseline default: True
Learn more
- Enable Log Success Connections
  Baseline default: Enable Logging Of Successful Connections
  Learn more
- Default Outbound Action
  Baseline default: Allow
  Learn more
- Enable Log Dropped Packets
  Baseline default: Enable Logging Of Dropped Packets
  Learn more
- Disable Inbound Notifications
  Baseline default: True
  Learn more
- Log Max File Size
  Baseline default: Configured
  Value: 16384
  Learn more
- Default Inbound Action for Domain Profile
  Baseline default: Block
  Learn more
Enable Private Network Firewall
Baseline default: True
Learn more
- Log Max File Size
  Baseline default: Configured
  Value: 16384
  Learn more
- Default Inbound Action for Private Profile
  Baseline default: Block
  Learn more
- Enable Log Success Connections
  Baseline default: Enable Logging Of Successful Connections
  Learn more
- Enable Log Dropped Packets
  Baseline default: Enable Logging Of Dropped Packets
  Learn more
- Default Outbound Action
  Baseline default: Allow
  Learn more
- Disable Inbound Notifications
  Baseline default: True
  Learn more
Enable Public Network Firewall
Baseline default: True
Learn more
- Enable Log Dropped Packets
  Baseline default: Enable Logging Of Dropped Packets
  Learn more
- Log Max File Size
  Baseline default: Configured
  Value: 16384
  Learn more
- Default Outbound Action
  Baseline default: Allow
  Learn more
- Disable Inbound Notifications
  Baseline default: True
  Learn more
- Default Inbound Action for Public Profile
  Baseline default: Block
  Learn more
- Allow Local Policy Merge
  Baseline default: False
  Learn more
- Enable Log Success Connections
  Baseline default: Enable Logging Of Successful Connections
  Learn more
- Allow Local Ipsec Policy Merge
  Baseline default: False
  Learn more

Lanman Workstation

Enable Insecure Guest Logons
Baseline default: Disabled
Learn more

Local Policies Security Options

Accounts Limit Local Account Use Of Blank Passwords To Console Logon Only
Baseline default: Enabled
Learn more
Interactive Logon Machine Inactivity Limit
Baseline default: Configured
Value: 900
Learn more
Interactive Logon Smart Card Removal Behavior
Baseline default: Lock Workstation
Learn more
Microsoft Network Client Digitally Sign Communications Always
Baseline default: Enable
Learn more
Microsoft Network Client Send Unencrypted Password To Third Party SMB Servers
Baseline default: Disable
Learn more
Microsoft Network Server Digitally Sign Communications Always
Baseline default: Enable
Learn more
Network Access Do Not Allow Anonymous Enumeration Of SAM Accounts
Baseline default: Enabled
Learn more
Network Access Do Not Allow Anonymous Enumeration Of Sam Accounts And Shares
Baseline default: Enabled
Learn more
Network Access Restrict Anonymous Access To Named Pipes And Shares
Baseline default Enable Learn more
Network Access Restrict Clients Allowed To Make Remote Calls To SAM
Baseline default: Configured
Value: O:BAG:BAD:(A;;RC;;;BA)
Learn more
Network Security Do Not Store LAN Manager Hash Value On Next Password Change
Baseline default: Enable
Learn more
Network Security LAN Manager Authentication Level
Baseline default: Send LM and NTLMv2 responses only. Refuse LM and NTLM
Learn more
Network Security Minimum Session Security For NTLMSSP Based Clients
Baseline default: Require NTLM and 128-bit encryption
Learn more
Network Security Minimum Session Security For NTLMSSP Based Servers
Baseline default: Require NTLM and 128-bit encryption
Learn more
User Account Control Behavior Of The Elevation Prompt For Administrators
Baseline default: Prompt for consent on the secure desktop
Learn more
User Account Control Behavior Of The Elevation Prompt For Standard Users
Baseline default: Automatically deny elevation requests
Learn more
User Account Control Detect Application Installations And Prompt For Elevation
Baseline default: Enable Learn more
User Account Control Only Elevate UI Access Applications That Are Installed In Secure Locations
Baseline default: Enabled: Application runs with UIAccess integrity only if it resides in secure location. Learn more
User Account Control Run All Administrators In Admin Approval Mode
Baseline default: Enabled
Learn more
User Account Control Use Admin Approval Mode
Baseline default: Enable
Learn more
User Account Control Virtualize File And Registry Write Failures To Per User Locations
Baseline default: Enabled
Learn more

Local Security Authority

Configure Lsa Protected Process
Baseline default: Enabled with UEFI lock. LSA will run as protected process and this configuration is UEFI locked.
Learn more

Microsoft App Store

Allow Game DVR
Baseline default: Block
Learn more
MSI Allow User Control Over Install
Baseline default: Disabled
Learn more
MSI Always Install With Elevated Privileges
Baseline default: Disabled
Learn more

Microsoft Edge

Content settings

Default Adobe Flash setting
Baseline default: Disabled
Default Adobe Flash setting (User)
Baseline default: Disabled
Minimum TLS version enabled
Baseline default: Enabled
- Minimum TLS version enabled (Device)
  Baseline default: TlS 1.2
Minimum TLS version enabled (User)
Baseline default: Enabled
- Minimum TLS version enabled (User)
  Baseline default: TLS 1.2

SmartScreen settings

Configure Microsoft Defender SmartScreen
Baseline default: Enabled
Prevent bypassing Microsoft Defender SmartScreen prompts for sites
Baseline default: Enabled

Privacy

Let Apps Activate With Voice Above Lock
Baseline default: Force deny. Windows apps cannot be activated by voice while the screen is locked, and users cannot change it.
Learn more

Search

Allow Indexing Encrypted Stores Or Items
Baseline default: Block
Learn more

Smart Screen

Enable Smart Screen In Shell
Baseline default: Enabled
Learn more
Prevent Override For Files In Shell
Baseline default: Enabled
Learn more

Enhanced Phishing Protection

Notify Malicious
Baseline default: Enabled
Notify Password Reuse
Baseline default: Enabled
Notify Unsafe App
Baseline default: Enabled
Service Enabled
Baseline default: Enabled

System Services

Configure Xbox Accessory Management Service Startup Mode
Baseline default: Disabled
Learn more
Configure Xbox Live Auth Manager Service Startup Mode
Baseline default: Disabled
Learn more
Configure Xbox Live Game Save Service Startup Mode
Baseline default: Disabled
Learn more
Configure Xbox Live Networking Service Startup Mode
Baseline default: Disabled
Learn more

Task Scheduler

Enable Xbox Game Save Task
Baseline default: Disabled
Learn more

User Rights

Access From Network
Baseline default: Configured
Values:
- *S-1-5-32-544
- *S-1-5-32-555
  Learn more
Allow Local Log On
Baseline default: Configured
Values:
- *S-1-5-32-544
- *S-1-5-32-545
  Learn more
Backup Files And Directories
Baseline default: Configured
Value:
- *S-1-5-32-544
  Learn more
Create Global Objects
Baseline default: Configured
Values:
- *S-1-5-32-544
- *S-1-5-19
- *S-1-5-20
- *S-1-5-6
  Learn more
Create Page File
Baseline default: Configured
Value:
- *S-1-5-32-544
  Learn more
Debug Programs
Baseline default: Configured
Value:
- *S-1-5-32-544
  Learn more
Deny Access From Network
Baseline default: Configured
Value:
- *S-1-5-113
  Learn more
Deny Remote Desktop Services Log On
Baseline default: Configured
Value:
- *S-1-5-113
  Learn more
Impersonate Client
Baseline default: Configured
Values:
- *S-1-5-32-544
- *S-1-5-6
- *S-1-5-19
- *S-1-5-20
  Learn more
Load Unload Device Drivers
Baseline default: Configured
Value:
- *S-1-5-32-544
  Learn more
Manage Auditing And Security Log
Baseline default: Configured
Value:
- *S-1-5-32-544
  Learn more
Manage Volume
Baseline default: Configured
Value:
- *S-1-5-32-544
  Learn more
Modify Firmware Environment
Baseline default: Configured
Value:
- *S-1-5-32-544
  Learn more
Profile Single Process
Baseline default: Configured
Value:
- *S-1-5-32-544
  Learn more
Remote Shutdown
Baseline default: Configured
Value:
- *S-1-5-32-544
  Learn more
Restore Files And Directories
Baseline default: Configured
Value:
- *S-1-5-32-544
  Learn more
Take Ownership
Baseline default: Configured
Value:
- *S-1-5-32-544
  Learn more

Virtualization Based Technology

Hypervisor Enforced Code Integrity
Baseline default: (Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock.
Learn more

Wi-Fi Settings

Allow Auto Connect To Wi Fi Sense Hotspots
Baseline default: Block
Learn more
Allow Internet Sharing
Baseline default: Block
Learn more

Windows Ink Workspace

Allow Windows Ink Workspace
Baseline default: Ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.
Learn more

Windows 365 Cloud PC security baseline November 2021:

Above Lock

Voice activate apps from locked screen:
Baseline default: Disabled
Learn more
Block display of toast notifications:
Baseline default: Yes
Learn more

App Runtime

Microsoft accounts optional for Microsoft store apps:
Baseline default: Enabled
Learn more

Application management

Block app installations with elevated privileges:
Baseline default: Yes
Learn more
Block user control over installations:
Baseline default: Yes
Learn more
Block game DVR (desktop only):
Baseline default: Yes
Learn more

Attack Surface Reduction Rules

For general information, see Learn about attack surface reduction rules.

Block Office communication apps from creating child processes:
Baseline default: Enable
Learn more
Block Adobe Reader from creating child processes:
Baseline default: Enable
Learn more
Block Office applications from injecting code into other processes:
Baseline default: Block
Learn more
Block Office applications from creating executable content:
Baseline default: Block
Learn more
Block JavaScript or VBScript from launching downloaded executable content:
Baseline default: Block
Learn more
Enable network protection:
Baseline default: Enable
Learn more
Block untrusted and unsigned processes that run from USB:
Baseline default: Block
Learn more
Block credential stealing from the Windows local security authority subsystem (lsass.exe):
Baseline default: Enable
Learn more
Block all Office applications from creating child processes:
Baseline default: Block
Learn more
Block execution of potentially obfuscated scripts (js/vbs/ps):
Baseline default: Block
Learn more
Block Win32 API calls from Office macro:
Baseline default: Block
Learn more
Block executable content download from email and webmail clients:
Baseline default: Block
Learn more

Audit

Audit settings configure the events that are generated for the conditions of the setting.

Account Logon Audit Credential Validation (Device):
Baseline default: Success and Failure
Account Logon Audit Kerberos Authentication Service (Device):
Baseline default: None
Account Logon Logoff Audit Account Lockout (Device):
Baseline default: Failure
Account Logon Logoff Audit Group Membership (Device):
Baseline default: Success
Account Logon Logoff Audit Logon (Device):
Baseline default: Success and Failure
Audit Other Logon Logoff Events (Device):
Baseline default: Success and Failure
Audit Special Logon (Device):
Baseline default: Success
Audit Security Group Management (Device):
Baseline default: Success
Audit User Account Management (Device):
Baseline default: Success and Failure
Detailed Tracking Audit PNP Activity (Device):
Baseline default: Success
Detailed Tracking Audit Process Creation (Device):
Baseline default: Success
Object Access Audit Detailed File Share (Device):
Baseline default: Failure
Audit File Share Access (Device):
Baseline default: Success and Failure
Object Access Audit Other Object Access Events (Device):
Baseline default: Success and Failure
Object Access Audit Removable Storage (Device):
Baseline default: Success and Failure
Audit Authentication Policy Change (Device):
Baseline default: Success
Policy Change Audit MPSSVC Rule Level Policy Change (Device):
Baseline default: Success and Failure
Policy Change Audit Other Policy Change Events (Device):
Baseline default: Failure
Audit Changes to Audit Policy (Device):
Baseline default: Success
Privilege Use Audit Sensitive Privilege Use (Device):
Baseline default: Success and Failure
System Audit Other System Events (Device):
Baseline default: Success and Failure
System Audit Security State Change (Device):
Baseline default: Success
Audit Security System Extension (Device):
Baseline default: Success
System Audit System Integrity (Device):
Baseline default: Success and Failure

Auto Play

Auto play default auto run behavior:
Baseline default: Do not execute
Learn more
Auto play mode:
Baseline default: Disabled
Learn more
Block auto play for non-volume devices:
Baseline default: Enabled
Learn more

Browser

Block Password Manager:
Baseline default: Yes
Learn more
Require SmartScreen for Microsoft Edge Legacy:
Baseline default: Yes
Learn more
Block malicious site:
Baseline default: Yes
Learn more
Block unverified file download:
Baseline default: Yes
Learn more
Prevent user from overriding certificate errors:
Baseline default: Yes
Learn more

Connectivity

Configure secure access to UNC paths:
Baseline default: Configure Windows to only allow access to the specified UNC paths after fulfilling additional security requirements
Learn more
- Hardened UNC path list:
  Not configured by default. Manually add one or more hardened UNC paths.
Block downloading of print drivers over HTTP:
Baseline default: Enabled
Learn more
Block Internet download for web publishing and online ordering wizards:
Baseline default: Enabled
Learn more

Credentials Delegation

Remote host delegation of non-exportable credentials:
Baseline default: Enabled
Learn more

Credentials UI

Enumerate administrators:
Baseline default: Disabled
Learn more

Device Guard

Virtualization based security:
Baseline default: Enable VBS with secure boot
Enable virtualization based security:
Baseline default: Yes
Learn more
Launch system guard:
Baseline default: Enabled
Turn on Credential Guard:
Baseline default: Enable with UEFI lock
Learn more

Device Installation

Block hardware device installation by setup classes
Baseline default: Yes
Learn more
- Remove matching hardware devices
  Baseline default: Yes
- Block list
  Not configured by default. Manually add one or more Identifiers.

DMA Guard

Enumeration of external devices incompatible with Kernel DMA Protection
Baseline default: Block all

Event Log Service

Application log maximum file size in KB
Baseline default: 32768
Learn more
System log maximum file size in KB
Baseline default: 32768
Learn more
Security log maximum file size in KB
Baseline default: 196608
Learn more

Experience

Block Windows Spotlight
Baseline default: Yes
Learn more

File Explorer

Block data execution prevention
Baseline default: Disabled
Learn more
Block heap termination on corruption
Baseline default: Disabled
Learn more

Firewall

For more information, see 2.2.2 FW_PROFILE_TYPE in the Windows Protocols documentation.

Firewall profile domain:
Baseline default: Configure
Learn more
- Inbound connections blocked:
  Baseline default: Yes
  Learn more
- Outbound connections required:
  Baseline default: Yes
  Learn more
- Inbound notifications blocked:
  Baseline default: Yes
  Learn more
- Firewall enabled:
  Baseline default: Allowed
  Learn more
Firewall profile private:
Baseline default: Configure
Learn more
- Inbound connections blocked:
  Baseline default: Yes
  Learn more
- Outbound connections required:
  Baseline default: Yes
  Learn more
- Inbound notifications blocked:
  Baseline default: Yes
  Learn more
- Firewall enabled:
  Baseline default: Allowed
  Learn more
Firewall profile public:
Baseline default: Configure
Learn more
- Inbound connections blocked:
  Baseline default: Yes
  Learn more
- Outbound connections required:
  Baseline default: Yes
  Learn more
- Inbound notifications blocked:
  Baseline default: Yes
  Learn more
- Firewall enabled:
  Baseline default: Allowed
  Learn more
- Connection security rules from group policy not merged:
  Baseline default: Yes
  Learn more
- Policy rules from group policy not merged:
  Baseline default: Yes
  Learn more

Internet Explorer

View the full list of Internet Explorer CSPs.

Internet Explorer encryption support
Baseline defaults: Two items: TLS v1.1 and TLS v1.2

Learn more
Internet Explorer prevent managing smart screen filter
Baseline default: Enable
Learn more
Internet Explorer restricted zone script Active X controls marked safe for scripting
Baseline default: Disable
Learn more
Internet Explorer restricted zone file downloads
Baseline default: Disable
Learn more
Internet Explorer certificate address mismatch warning
Baseline default: Disable
Learn more
Internet Explorer enhanced protected mode
Baseline default: Disable
Learn more
Internet Explorer fallback to SSL3
Baseline default: No sites
Learn more
Internet Explorer software when signature is invalid
Baseline default: Disable
Learn more
Internet Explorer check server certificate revocation
Baseline default: Enable
Learn more
Internet Explorer check signatures on downloaded programs
Baseline default: Enable
Learn more
Internet Explorer processes consistent MIME handling
Baseline default: Enable
Learn more
Internet Explorer bypass smart screen warnings
Baseline default: Disable
Learn more
Internet Explorer bypass smart screen warnings about uncommon files
Baseline default: Disable
Learn more
Internet Explorer crash detection
Baseline default: Disable
Learn more
Internet Explorer download enclosures
Baseline default: Disable
Learn more
Internet Explorer ignore certificate errors
Baseline default: Disable
Learn more
Internet Explorer disable processes in enhanced protected mode
Baseline default: Enable
Learn more
Internet Explorer security settings check
Baseline default: Enabled
Learn more
Internet Explorer Active X controls in protected mode
Baseline default: Disabled
Learn more
Internet Explorer users adding sites
Baseline default: Disabled
Learn more
Internet Explorer users changing policies
Baseline default: Disabled
Learn more
Internet Explorer block outdated Active X controls
Baseline default: Enabled
Learn more
Internet Explorer include all network paths
Baseline default: Disabled
Learn more
Internet Explorer internet zone access to data sources
Baseline default: Disable
Learn more
Internet Explorer internet zone automatic prompt for file downloads
Baseline default: Disabled
Learn more
Internet Explorer internet zone copy and paste via script
Baseline default: Disable
Learn more
Internet Explorer internet zone drag and drop or copy and paste files
Baseline default: Disable
Learn more
Internet Explorer internet zone less privileged sites
Baseline default: Disable
Learn more
Internet Explorer internet zone loading of XAML files
Baseline default: Disable
Learn more
Internet Explorer internet zone .NET Framework reliant components
Baseline default: Disable
Learn more
Internet Explorer internet zone allows only approved domains to use ActiveX controls
Baseline default: Enabled
Learn more
Internet Explorer internet zone allows only approved domains to use tdc ActiveX controls
Baseline default: Enabled
Learn more
Internet Explorer internet zone scripting of web browser controls
Baseline default: Disabled
Learn more
Internet Explorer internet zone script initiated windows
Baseline default: Disabled
Learn more
Internet Explorer internet zone scriptlets
Baseline default: Disable
Learn more
Internet Explorer internet zone smart screen
Baseline default: Enabled
Learn more
Internet Explorer internet zone updates to status bar via script
Baseline default: Disabled
Learn more
Internet Explorer internet zone user data persistence
Baseline default: Disabled
Learn more
Internet Explorer internet zone allows VBscript to run
Baseline default: Disable
Learn more
Internet Explorer internet zone do not run antimalware against ActiveX controls
Baseline default: Disabled
Learn more
Internet Explorer internet zone download signed ActiveX controls
Baseline default: Disable
Learn more
Internet Explorer internet zone download unsigned ActiveX controls
Baseline default: Disable
Learn more
Internet Explorer internet zone cross site scripting filter
Baseline default: Enabled
Learn more
Internet Explorer internet zone drag content from different domains across windows
Baseline default: Disabled
Learn more
Internet Explorer internet zone drag content from different domains within windows
Baseline default: Disabled
Learn more
Internet Explorer internet zone protected mode
Baseline default: Enable
Learn more
Internet Explorer internet zone include local path when uploading files to server
Baseline default: Disabled
Learn more
Internet Explorer internet zone initialize and script Active X controls not marked as safe
Baseline default: Disable
Learn more
Internet Explorer internet zone java permissions
Baseline default: Disable java
Learn more
Internet Explorer internet zone launch applications and files in an iframe
Baseline default: Disable
Learn more
Internet Explorer internet zone logon options
Baseline default: Prompt
Learn more
Internet Explorer internet zone navigate windows and frames across different domains
Baseline default: Disable
Learn more
Internet Explorer internet zone run .NET Framework reliant components signed with Authenticode
Baseline default: Disable
Learn more
Internet Explorer internet zone security warning for potentially unsafe files
Baseline default: Prompt
Learn more
Internet Explorer internet zone popup blocker
Baseline default: Enable
Learn more
Internet Explorer intranet zone do not run antimalware against Active X controls
Baseline default: Disabled
Learn more
Internet Explorer intranet zone initialize and script Active X controls not marked as safe
Baseline default: Disable
Learn more
Internet Explorer intranet zone java permissions
Baseline default: High safety
Learn more
Internet Explorer local machine zone do not run antimalware against Active X controls
Baseline default: Disabled
Learn more
Internet Explorer local machine zone java permissions
Baseline default: Disable java
Learn more
Internet Explorer locked down internet zone smart screen
Baseline default: Enabled
Learn more
Internet Explorer locked down intranet zone java permissions
Baseline default: Disable java
Learn more
Internet Explorer locked down local machine zone java permissions
Baseline default: Disable java
Learn more
Internet Explorer locked down restricted zone smart screen
Baseline default: Enabled
Learn more
Internet Explorer locked down restricted zone java permissions
Baseline default: Disable java
Learn more
Internet Explorer locked down trusted zone java permissions
Baseline default: Disable java
Learn more
Internet Explorer processes MIME sniffing safety feature
Baseline default: Enabled
Learn more
Internet Explorer processes MK protocol security restriction
Baseline default: Enabled
Learn more
Internet Explorer processes notification bar
Baseline default: Enabled
Learn more
Internet Explorer prevent per user installation of Active X controls
Baseline default: Enabled
Learn more
Internet Explorer processes protection from zone elevation
Baseline default: Enabled
Learn more
Internet Explorer remove run this time button for outdated Active X controls
Baseline default: Enabled
Learn more
Internet Explorer processes restrict Active X install
Baseline default: Enabled
Learn more
Internet Explorer restricted zone access to data sources
Baseline default: Disable
Learn more
Internet Explorer restricted zone active scripting
Baseline default: Disable
Learn more
Internet Explorer restricted zone automatic prompt for file downloads
Baseline default: Disabled
Learn more
Internet Explorer restricted zone binary and script behaviors
Baseline default: Disable
Learn more
Internet Explorer restricted zone copy and paste via script
Baseline default: Disable
Learn more
Internet Explorer restricted zone drag and drop or copy and paste files
Baseline default: Disable
Learn more
Internet Explorer restricted zone less privileged sites
Baseline default: Disable
Learn more
Internet Explorer restricted zone loading of XAML files
Baseline default: Disable
Learn more
Internet Explorer restricted zone meta refresh
Baseline default: Disabled
Learn more
Internet Explorer restricted zone .NET Framework reliant components
Baseline default: Disable
Learn more
Internet Explorer restricted zone allows only approved domains to use Active X controls
Baseline default: Enabled
Learn more
Internet Explorer restricted zone allows only approved domains to use tdc Active X controls
Baseline default: Enabled
Learn more
Internet Explorer restricted zone scripting of web browser controls
Baseline default: Disabled
Learn more
Internet Explorer restricted zone script initiated windows
Baseline default: Disabled
Learn more
Internet Explorer restricted zone scriptlets
Baseline default: Disabled
Learn more
Internet Explorer restricted zone smart screen
Baseline default: Enabled
Learn more
Internet Explorer restricted zone updates to status bar via script
Baseline default: Disabled
Learn more
Internet Explorer restricted zone user data persistence
Baseline default: Disabled
Learn more
Internet Explorer restricted zone allows vbscript to run
Baseline default: Disable
Learn more
Internet Explorer restricted zone do not run antimalware against Active X controls
Baseline default: Disabled
Learn more
Internet Explorer restricted zone download signed Active X controls
Baseline default: Disable
Learn more
Internet Explorer restricted zone download unsigned Active X controls
Baseline default: Disable
Learn more
Internet Explorer restricted zone cross site scripting filter
Baseline default: Enabled
Learn more
Internet Explorer restricted zone drag content from different domains across windows
Baseline default: Disabled
Learn more
Internet Explorer restricted zone drag content from different domains within windows
Baseline default: Disabled
Learn more
Internet Explorer restricted zone include local path when uploading files to server
Baseline default: Disabled
Learn more
Internet Explorer restricted zone initialize and script Active X controls not marked as safe
Baseline default: Disable
Learn more
Internet Explorer restricted zone java permissions
Baseline default: Disable java
Learn more
Internet Explorer restricted zone launch applications and files in an iFrame
Baseline default: Disable
Learn more
Internet Explorer restricted zone logon options
Baseline default: Anonymous
Learn more
Internet Explorer restricted zone navigate windows and frames across different domains
Baseline default: Disable
Learn more
Internet Explorer restricted zone run Active X controls and plugins
Baseline default: Disable
Learn more
Internet Explorer restricted zone run .NET Framework reliant components signed with Authenticode
Baseline default: Disable
Learn more
Internet Explorer restricted zone scripting of java applets
Baseline default: Disable
Learn more
Internet Explorer restricted zone security warning for potentially unsafe files
Baseline default: Disable
Learn more
Internet Explorer restricted zone protected mode
Baseline default: Enable
Learn more
Internet Explorer restricted zone popup blocker
Baseline default: Enable
Learn more
Internet Explorer processes restrict file download
Baseline default: Enabled
Learn more
Internet Explorer processes scripted window security restrictions
Baseline default: Enabled
Learn more
Internet Explorer security zones use only machine settings
Baseline default: Enabled
Learn more
Internet Explorer use Active X installer service
Baseline default: Enabled
Learn more
Internet Explorer trusted zone do not run antimalware against Active X controls
Baseline default: Disabled
Learn more
Internet Explorer trusted zone initialize and script Active X controls not marked as safe
Baseline default: Disable
Learn more
Internet Explorer trusted zone java permissions
Baseline default: High safety
Learn more
Internet Explorer auto complete
Baseline default: Disabled
Learn more

Local Policies Security Options

Block remote logon with blank password
Baseline default: Yes
Learn more
Minutes of lock screen inactivity until screen saver activates
Baseline default: 15
Learn more
Smart card removal behavior
Baseline default: Lock workstation
Learn more
Require client to always digitally sign communications
Baseline default: Yes
Learn more
Prevent clients from sending unencrypted passwords to third party SMB servers
Baseline default: Yes
Learn more
Require server digitally signing communications always
Baseline default: Yes
Learn more
Prevent anonymous enumeration of SAM accounts
Baseline default: Yes
Learn more
Block anonymous enumeration of SAM accounts and shares
Baseline default: Yes
Learn more
Restrict anonymous access to named pipes and shares
Baseline default: Yes
Learn more
Allow remote calls to security accounts manager
Baseline default: O:BAG:BAD:(A;;RC;;;BA)
Learn more
Prevent storing LAN manager hash value on next password change
Baseline default: Yes
Learn more
Authentication level
Baseline default: Send NTLMv2 response only. Refuse LM and NTLM
Learn more
Minimum session security for NTLM SSP based clients
Baseline default: Require NTLM V2 and 128 bit encryption
Learn more
Minimum session security for NTLM SSP based servers
Baseline default: Require NTLM V2 and 128 bit encryption
Learn more
Administrator elevation prompt behavior
Baseline default: Prompt for consent on the secure desktop
Learn more
Standard user elevation prompt behavior
Baseline default: Automatically deny elevation requests
Learn more
Detect application installations and prompt for elevation
Baseline default: Yes
Learn more
Only allow UI access applications for secure locations
Baseline default: Yes
Learn more
Require admin approval mode for administrators
Baseline default: Yes
Learn more
Use admin approval mode
Baseline default: Yes
Learn more
Virtualize file and registry write failures to per user locations
Baseline default: Yes
Learn more

Microsoft Defender

Turn on real-time protection
Baseline default: Yes
Learn more
Scan scripts that are used in Microsoft browsers
Baseline default: Yes
Learn more
Additional amount of time (0-50 seconds) to extend cloud protection timeout
Baseline default: 50
Learn more
Scan all downloaded files and attachments
Baseline default: Yes
Learn more
Scan type
Baseline default: Quick scan
Learn more
Defender schedule scan day
Baseline default: Everyday
Scheduled scan start time
Baseline default: Not configured
Defender sample submission consent
Baseline default: Send safe samples automatically
Learn more
Cloud-delivered protection level
Baseline default: High
Learn more
Scan removable drives during full scan
Baseline default: Yes
Learn more
Defender potentially unwanted app action
Baseline default: Block
Learn more
Turn on cloud-delivered protection
Baseline default: Yes
Learn more

Microsoft Defender Antivirus Exclusions

Defender Processes to exclude
Baseline defaults: Not configured by default. Manually add one or more entries.
File extensions to exclude from scans and real-time protection
Baseline defaults: Not configured by default. Manually add one or more entries.
Defender Files And Folders To Exclude
Baseline default: Not configured by default. Manually add one or more entries.

Microsoft Edge

Control which extensions cannot be installed
Baseline default: Enabled
- Extension IDs the user should be prevented from installing (or * for all)
  Baseline default: Not configured by default. Manually add one or more IDs
Allow user-level native messaging hosts (installed without admin permissions)
Baseline default: Disabled
Minimum SSL version enabled
Baseline default: Enabled
- Minimum SSL version enabled
  Baseline default: TLS 1.2
Allow users to proceed from the SSL warning page
Baseline default: Disabled
Configure Microsoft Defender SmartScreen
Baseline default: Enabled
Prevent bypassing Microsoft Defender SmartScreen prompts for sites
Baseline default: Enabled
Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads
Baseline default: Enabled
Configure Microsoft Defender SmartScreen to block potentially unwanted apps
Baseline default: Enabled
Default Adobe Flash setting
Baseline default: Enabled
- Default Adobe Flash setting
  Baseline default: Block the Adobe Flash plugin
Enable saving passwords to the password manager
Baseline default: Disabled
Enable site isolation for every site
Baseline default: Enabled
Supported authentication schemes
Baseline default: Enabled
- Supported authentication schemes
  Baseline defaults: Two items: NTLM and Negotiate

MS Security Guide

SMB v1 client driver start configuration
Baseline default: Disable driver
Learn more
Apply UAC restrictions to local accounts on network logon
Baseline default: Enabled
Learn more
Structured exception handling overwrite protection
Baseline default: Enabled
Learn more
SMB v1 server
Baseline default: Disabled
Learn more
Digest authentication
Baseline default: Disabled
Learn more

MSS Legacy

Network IPv6 source routing protection level
Baseline default: Highest protection
Learn more
Network IP source routing protection level
Baseline default: Highest protection
Learn more
Network ignore NetBIOS name release requests except from WINS servers
Baseline default: Enabled
Learn more
Network ICMP redirects override OSPF generated routes
Baseline default: Disabled
Learn more

Remote Assistance

Remote Assistance solicited
Baseline default: Disable Remote Assistance
Learn more

Remote Desktop Services

Remote desktop services client connection encryption level
Baseline default: High
Learn more
Block drive redirection
Baseline default: Enabled
Block password saving
Baseline default: Enabled
Learn more
Prompt for password upon connection
Baseline default: Enabled
Learn more
Secure RPC communication
Baseline default: Enabled
Learn more

Remote Management

Block client digest authentication
Baseline default: Enabled
Learn more
Block storing run as credentials
Baseline default: Enabled
Learn more
Client basic authentication
Baseline default: Disabled
Learn more
Basic authentication
Baseline default: Disabled
Learn more
Client unencrypted traffic
Baseline default: Disabled
Learn more
Unencrypted traffic
Baseline default: Disabled
Learn more

Remote Procedure Call

RPC unauthenticated client options
Baseline default: Authenticated
Learn more

Search

Disable indexing encrypted items
Baseline default: Yes
Learn more

Smart Screen

Turn on Windows SmartScreen
Baseline default: Yes
Learn more
Block users from ignoring SmartScreen warnings
Baseline default: Yes
Learn more

System

System boot start driver initialization
Baseline default: Good unknown and bad critical
Learn more

Windows Connection Manager

Block connection to non-domain networks
Baseline default: Enabled
Learn more

Windows Ink Workspace

Ink Workspace
Baseline default: Enabled
Learn more

Windows PowerShell

PowerShell script block logging
Baseline default: Enabled
Learn more

Windows Security

Enable tamper protection to prevent Microsoft Defender being disabled
Baseline default: Enable
Learn more

שתף באמצעות

List of the settings in the Windows 365 Cloud PC security baseline in Intune

Administrative Templates

Control Panel > Personalization

MS Security Guide

MSS (Legacy)

Network > DNS Client

Network > Network Connections

Network > Network Provider

Network > Windows Connection Manager

Start Menu and Taskbar > Notifications

System > Credentials Delegation

System > Device Installation > Device Installation Restrictions

System > Early Launch Antimalware

System > Group Policy

System > Internet Communication Management > Internet Communication settings

System > Power Management > Sleep Settings

System > Remote Assistance

System > Remote Procedure Call

Windows Components > App runtime

Windows Components > AutoPlay Policies

Windows Components > BitLocker Drive Encryption > Fixed Data Drives

Windows Components > BitLocker Drive Encryption > Removable Data Drives

Windows Components > Credential User Interface

Windows Components > Event Log Service > Application

Windows Components > Event Log Service > Security

Windows Components > Event Log Service > System

Windows Components > File Explorer

Windows Components > Internet Explorer > Internet Control Panel > Advanced Page

Windows Components > Internet Explorer > Internet Control Panel

Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone

Windows Components > Internet Explorer > Internet Control Panel > Security Page

Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone

Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone

Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone

Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone

Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone

Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone

Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone

Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone

Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone

Windows Components > Internet Explorer

Windows Components > Internet Explorer > Security Features > Add-on Management

Windows Components > Internet Explorer > Security Features

Windows Components > Internet Explorer > Security Features > Consistent Mime Handling

Windows Components > Internet Explorer > Security Features > Mime Sniffing Safety Feature

Windows Components > Internet Explorer > Security Features > MK Protocol Security Restriction

Windows Components > Internet Explorer > Security Features > Notification bar

Windows Components > Internet Explorer > Security Features > Protection From Zone Elevation

Windows Components > Internet Explorer > Security Features > Restrict ActiveX Install

Windows Components > Internet Explorer > Security Features > Restrict File Download

Windows Components > Internet Explorer > Security Features > Scripted Window Security Restrictions

Windows Components > Microsoft Defender Antivirus > MAPS

Windows Components > Microsoft Defender Antivirus > Real-time Protection

Windows Components > Microsoft Defender Antivirus > Scan

Windows Components > Microsoft Defender Antivirus

Windows Components > Remote Desktop Services > Remote Desktop Connection Client

Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection

Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security

Windows Components > RSS Feeds

Windows Components > Windows Logon Options

Windows Components > Windows PowerShell

Windows Components > Windows Remote Management (WinRM) > WinRM Client

Windows Components > Windows Remote Management (WinRM) > WinRM Service

Auditing

Browser

Data Protection

Defender

Device Guard

Device Lock

Dma Guard

Experience

Firewall

Lanman Workstation

Local Policies Security Options

Local Security Authority

Microsoft App Store

Microsoft Edge

Content settings

SmartScreen settings