Rediger

Del via


List of the settings in the Microsoft Defender for Endpoint security baseline in Intune

This article is a reference for the settings that are available in the different versions of the Microsoft Defender for Endpoint security baseline that you can deploy with Microsoft Intune. Use the tabs to select and view the settings in the most recent baseline version and a few older versions that might still be in use.

For each setting this reference identifies the baselines default configuration, which is also the recommended configuration for that setting provided by the relevant security team. Because products and the security landscape evolve, the recommended defaults in one baseline version might not match the defaults you find in later versions of the same baseline. Different baseline types, like the MDM security and the Defender for Endpoint baselines, can also set different defaults.

When the Intune UI includes a Learn more link for a setting, you’ll find that here as well. Use that link to view the settings policy configuration service provider (CSP) or relevant content that explains the settings operation.

When a new version of a baseline becomes available, it replaces the previous version. Profiles instances that are created prior to the availability of a new version:

  • Become read-only. You can continue to use those profiles but can't edit them to change their configuration.
  • Can be updated to the latest version. After you update a profile to the current baseline version, you can edit the profile to modify settings.

To learn more about using security baselines, see Use security baselines. In that article you'll also find information about how to:

Microsoft Defender for Endpoint baseline version 24H1

Microsoft Defender for Endpoint baseline for December 2020 - version 6

Microsoft Defender for Endpoint baseline for September 2020 - version 5

Microsoft Defender for Endpoint baseline for April 2020 - version 4

Microsoft Defender for Endpoint baseline for March 2020 - version 3

The Microsoft Defender for Endpoint baseline is available when your environment meets the prerequisites for using Microsoft Defender for Endpoint.

This baseline is optimized for physical devices and isn't recommended for use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can affect remote interactive sessions on virtualized environments. For more information, see Increase compliance to the Microsoft Defender for Endpoint security baseline in the Windows documentation.

Administrative Templates

System > Device Installation > Device Installation Restrictions

  • Prevent installation of devices using drivers that match these device setup classes
    Baseline default: Enabled
    Learn more

    • Prevented Classes
      Baseline default: d48179be-ec20-11d1-b6b8-00c04fa372a7

    • Also apply to matching devices that are already installed.
      Baseline default: False

Windows Components > BitLocker Drive Encryption

  • Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
    Baseline default: Enabled
    Learn more

    • Select the encryption method for removable data drives:
      Baseline default: AES-CBC 128-bit (default)

    • Select the encryption method for operating system drives:
      Baseline default: XTS-AES 128-bit (default)

    • Select the encryption method for fixed data drives:
      Baseline default: XTS-AES 128-bit (default)

Windows Components > BitLocker Drive Encryption > Fixed Data Drives

  • Choose how BitLocker-protected fixed drives can be recovered
    Baseline default: Enabled
    Learn more

    • Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives
      Baseline default: True

    • Allow data recovery agent
      Baseline default: True

    • Configure storage of BitLocker recovery information to AD DS:
      Baseline default: Backup recovery passwords and key packages

      Value: Allow 256-bit recovery key

    • Save BitLocker recovery information to AD DS for fixed data drives
      Baseline default: True

    • Omit recovery options from the BitLocker setup wizard
      Baseline default: True

    • Configure user storage of BitLocker recovery information:
      Baseline default: Allow 48-digit recovery password

  • Deny write access to fixed drives not protected by BitLocker
    Baseline default: Enabled
    Learn more

  • Enforce drive encryption type on fixed data drives
    Baseline default: Enabled
    Learn more

    • Select the encryption type: (Device)
      Baseline default: Used Space Only encryption

Windows Components > BitLocker Drive Encryption > Operating System Drives

  • Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.
    Baseline default: Disabled
    Learn more

  • Allow enhanced PINs for startup
    Baseline default: Disabled
    Learn more

  • Choose how BitLocker-protected operating system drives can be recovered
    Baseline default: Enabled
    Learn more

    • Omit recovery options from the BitLocker setup wizard
      Baseline default: True

    • Allow data recovery agent
      Baseline default: True

      Value: Allow 256-bit recovery key

    • Configure storage of BitLocker recovery information to AD DS:
      Baseline default: Store recovery passwords and key packages

    • Do not enable BitLocker until recovery information is stored to AD DS for operating system drives
      Baseline default: True

    • Save BitLocker recovery information to AD DS for operating system drives
      Baseline default: True

    • Configure user storage of BitLocker recovery information:
      Baseline default: Allow 48-digit recovery password

  • Enable use of BitLocker authentication requiring preboot keyboard input on slates
    Baseline default: Enabled
    Learn more

  • Enforce drive encryption type on operating system drive
    Baseline default: Enabled
    Learn more

    • Select the encryption type: (Device)
      Baseline default: Used Space Only encryption
  • Require additional authentication at startup
    Baseline default: Enabled
    Learn more

    • Configure TPM startup key and PIN:
      Baseline default: Do not allow startup key and PIN with TPM

    • Configure TPM startup:
      Baseline default: Allow TPM

    • Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)
      Baseline default: False

    • Configure TPM startup PIN:
      Baseline default: Allow startup PIN with TPM

    • Configure TPM startup key:
      Baseline default: Do not allow startup key with TPM

Windows Components > BitLocker Drive Encryption > Removable Data Drives

  • Control use of BitLocker on removable drives
    Baseline default: Enabled
    Learn more

    • Allow users to apply BitLocker protection on removable data drives (Device)
      Baseline default: True

      • Enforce drive encryption type on removable data drives
        Baseline default: Enabled
        Learn more

        • Select the encryption type: (Device)
          Baseline default: Used Space Only encryption
    • Allow users to suspend and decrypt BitLocker protection on removable data drives (Device)
      Baseline default: False

  • Deny write access to removable drives not protected by BitLocker
    Baseline default: Enabled
    Learn more

    • Do not allow write access to devices configured in another organization
      Baseline default: False

Windows Components > File Explorer

  • Configure Windows Defender SmartScreen
    Baseline default: Enabled
    Learn more

    • Pick one of the following settings: (Device)
      Baseline default: Warn and prevent bypass

Windows Components > Internet Explorer

  • Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet
    Baseline default: Enabled
    Learn more

  • Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet (User)
    Baseline default: Enabled
    Learn more

  • Prevent managing SmartScreen Filter
    Baseline default: Enabled
    Learn more

    • Select SmartScreen Filter mode
      Baseline default: On

BitLocker

  • Allow Warning For Other Disk Encryption
    Baseline default: Enabled
    Learn more

  • Configure Recovery Password Rotation
    Baseline default: Refresh on for both Azure AD-joined and hybrid-joined devices
    Learn more

  • Require Device Encryption
    Baseline default: Enabled
    Learn more

Defender

  • Allow Archive Scanning
    Baseline default: Allowed. Scans the archive files.
    Learn more

  • Allow Behavior Monitoring
    Baseline default: Allowed. Turns on real-time behavior monitoring.
    Learn more

  • Allow Cloud Protection
    Baseline default: Allowed. Turns on Cloud Protection.
    Learn more

  • Allow Email Scanning
    Baseline default: Allowed. Turns on email scanning.
    Learn more

  • Allow Full Scan Removable Drive Scanning
    Baseline default: Allowed. Scans removable drives.
    Learn more

  • Allow On Access Protection
    Baseline default: Allowed.
    Learn more

  • Allow Realtime Monitoring
    Baseline default: Allowed. Turns on and runs the real-time monitoring service.
    Learn more

  • Allow Scanning Network Files
    Baseline default: Allowed. Scans network files.
    Learn more

  • Allow scanning of all downloaded files and attachments
    Baseline default: Allowed.
    Learn more

  • Allow Script Scanning
    Baseline default: Allowed.
    Learn more

  • Allow User UI Access
    Baseline default: Allowed. Lets users access UI.
    Learn more

    • Block execution of potentially obfuscated scripts
      Baseline default: Block
      Learn more

    • Block Win32 API calls from Office macros
      Baseline default: Block
      Learn more

    • Block executable files from running unless they meet a prevalence, age, or trusted list criterion
      Baseline default: Block
      Learn more

    • Block Office communication application from creating child processes
      Baseline default: Block
      Learn more

    • Block all Office applications from creating child processes
      Baseline default: Block
      Learn more

    • Block Adobe Reader from creating child processes
      Baseline default: Block
      Learn more

    • Block credential stealing from the Windows local security authority subsystem
      Baseline default: Block
      Learn more

    • Block JavaScript or VBScript from launching downloaded executable content
      Baseline default: Block
      Learn more

    • Block Webshell creation for Servers
      Baseline default: Block
      Learn more

    • Block untrusted and unsigned processes that run from USB
      Baseline default: Block
      Learn more

    • Block persistence through WMI event subscription
      Baseline default: Audit
      Learn more

    • [PREVIEW] Block use of copied or impersonated system tools
      Baseline default: Block
      Learn more

    • Block abuse of exploited vulnerable signed drivers (Device)
      Baseline default: Block
      Learn more

    • Block process creations originating from PSExec and WMI commands
      Baseline default: Audit
      Learn more

    • Block Office applications from creating executable content
      Baseline default: Block
      Learn more

    • Block Office applications from injecting code into other processes
      Baseline default: Block
      Learn more

    • [PREVIEW] Block rebooting machine in Safe Mode
      Baseline default: Block
      Learn more

    • Use advanced protection against ransomware
      Baseline default: Block
      Learn more

    • Block executable content from email client and webmail
      Baseline default: Block
      Learn more

  • Check For Signatures Before Running Scan
    Baseline default: Enabled
    Learn more

  • Cloud Block Level
    Baseline default: High
    Learn more

  • Cloud Extended Timeout
    Baseline default: Configured
    Value: 50
    Learn more

  • Disable Local Admin Merge
    Baseline default: Enable Local Admin Merge
    Learn more

  • Enable Network Protection
    Baseline default: Enabled (block mode)
    Learn more

  • Hide Exclusions From Local Admins
    Baseline default: If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
    Learn more

  • Hide Exclusions From Local Users
    Baseline default: If you enable this setting, local users will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
    Learn more

  • Oobe Enable Rtp And Sig Update
    Baseline default: If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE.
    Learn more

  • PUA Protection
    Baseline default: PUA Protection on. Detected items are blocked. They will show in history along with other threats.
    Learn more

  • Real Time Scan Direction
    Baseline default: Monitor all files (bi-directional).
    Learn more

  • Scan Parameter
    Baseline default: Quick scan
    Learn more

  • Schedule Quick Scan Time
    Baseline default: Configured
    Value: 120
    Learn more

  • Schedule Scan Day
    Baseline default: Every day
    Learn more

  • Schedule Scan Time
    Baseline default: Configured
    Value: 120
    Learn more

  • Signature Update Interval
    Baseline default: Configured
    Value: 4
    Learn more

  • Submit Samples Consent
    Baseline default: Send all samples automatically.
    Learn more

Device Guard

  • Credential Guard
    Baseline default: (Enabled with UEFI lock) Turns on Credential Guard with UEFI lock.
    Learn more

Dma Guard

  • Device Enumeration Policy
    Baseline default: Block all (Most restrictive)
    Learn more

Firewall

  • Certificate revocation list verification
    Baseline default: None
    Learn more

  • Disable Stateful Ftp
    Baseline default: True
    Learn more

  • Enable Domain Network Firewall
    Baseline default: True
    Learn more

    • Allow Local Ipsec Policy Merge
      Baseline default: True
      Learn more

    • Disable Stealth Mode
      Baseline default: False
      Learn more

    • Disable Inbound Notifications
      Baseline default: True
      Learn more

    • Disable Unicast Responses To Multicast Broadcast
      Baseline default: False
      Learn more

    • Global Ports Allow User Pref Merge
      Baseline default: True
      Learn more

    • Disable Stealth Mode Ipsec Secured Packet Exemption
      Baseline default: True
      Learn more

    • Allow Local Policy Merge
      Baseline default: True
      Learn more

  • Enable Packet Queue
    Baseline default: Configured
    Value: Disabled
    Learn more

  • Enable Private Network Firewall
    Baseline default: True
    Learn more

    • Default Inbound Action for Private Profile
      Baseline default: Block
      Learn more

    • Disable Unicast Responses To Multicast Broadcast
      Baseline default: False
      Learn more

    • Disable Stealth Mode
      Baseline default: False
      Learn more

    • Global Ports Allow User Pref Merge
      Baseline default: True
      Learn more

    • Allow Local Ipsec Policy Merge
      Baseline default: True
      Learn more

    • Disable Stealth Mode Ipsec Secured Packet Exemption
      Baseline default: True
      Learn more

    • Disable Inbound Notifications
      Baseline default: True
      Learn more

    • Allow Local Policy Merge
      Baseline default: True
      Learn more

    • Default Outbound Action
      Baseline default: Allow
      Learn more

    • Auth Apps Allow User Pref Merge
      Baseline default: True
      Learn more

  • Enable Public Network Firewall
    Baseline default: True
    Learn more

    • Disable Stealth Mode
      Baseline default: False
      Learn more

    • Default Outbound Action
      Baseline default: Allow
      Learn more

    • Disable Inbound Notifications
      Baseline default: True
      Learn more

    • Disable Stealth Mode Ipsec Secured Packet Exemption
      Baseline default: True
      Learn more

    • Allow Local Policy Merge
      Baseline default: True
      Learn more

    • Auth Apps Allow User Pref Merge
      Baseline default: True
      Learn more

    • Default Inbound Action for Public Profile
      Baseline default: Block
      Learn more

    • Disable Unicast Responses To Multicast Broadcast
      Baseline default: False
      Learn more

    • Global Ports Allow User Pref Merge
      Baseline default: True
      Learn more

    • Allow Local Ipsec Policy Merge
      Baseline default: True
      Learn more

  • Preshared Key Encoding
    Baseline default: UTF8
    Learn more

  • Security association idle time
    Baseline default: Configured
    Value: 300
    Learn more

Microsoft Edge

  • Configure Microsoft Defender SmartScreen
    Baseline default: Enabled

  • Configure Microsoft Defender SmartScreen to block potentially unwanted apps
    Baseline default: Enabled

  • Enable Microsoft Defender SmartScreen DNS requests
    Baseline default: Enabled

  • Enable new SmartScreen library
    Baseline default: Enabled

  • Force Microsoft Defender SmartScreen checks on downloads from trusted sources
    Baseline default: Enabled

  • Prevent bypassing Microsoft Defender SmartScreen prompts for sites
    Baseline default: Enabled

  • Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads
    Baseline default: Enabled

Attack Surface Reduction Rules

Attack surface reduction rules support a merger of settings from different policies, to create a superset of policy for each device. Only the settings that aren't in conflict are merged. Settings that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile would be deployed.

Attack surface reduction rule merge behavior is as follows:

  • Attack surface reduction rules from the following profiles are evaluated for each device the rules apply to:
    • Devices > Configuration policy > Endpoint protection profile > Microsoft Defender Exploit Guard > Attack Surface Reduction
    • Endpoint security > Attack surface reduction policy > Attack surface reduction rules
    • Endpoint security > Security baselines > Microsoft Defender for Endpoint Baseline > Attack Surface Reduction Rules.
  • Settings that don't have conflicts are added to a superset of policy for the device.
  • When two or more policies have conflicting settings, the conflicting settings aren't added to the combined policy, while settings that don’t conflict are added to the superset policy that applies to a device.
  • Only the configurations for conflicting settings are held back.

To learn more, see Attack surface reduction rules in the Microsoft Defender for Endpoint documentation.

  • Block Office communication apps from creating child processes
    Baseline default: Enable
    Learn more

  • Block Adobe Reader from creating child processes
    Baseline default: Enable
    Learn more

  • Block Office applications from injecting code into other processes
    Baseline default: Block
    Learn more

  • Block Office applications from creating executable content
    Baseline default: Block
    Learn more

  • Block JavaScript or VBScript from launching downloaded executable content
    Baseline default: Block
    Learn more

  • Enable network protection
    Baseline default: Enable
    Learn more

  • Block untrusted and unsigned processes that run from USB
    Baseline default: Block
    Learn more

  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
    Baseline default: Enable
    Learn more

  • Block executable content download from email and webmail clients
    Baseline default: Block
    Learn more

  • Block all Office applications from creating child processes
    Baseline default: Block
    Learn more

  • Block execution of potentially obfuscated scripts (js/vbs/ps)
    Baseline default: Block
    Learn more

  • Block Win32 API calls from Office macro
    Baseline default: Block
    Learn more

Application Guard

For more information, see WindowsDefenderApplicationGuard CSP in the Windows documentation.

When you use Microsoft Edge, Microsoft Defender Application Guard protects your environment from sites that aren't trusted by your organization. When users visit sites that aren't listed in your isolated network boundary, the sites open in a Hyper-V virtual browsing session. Trusted sites are defined by a network boundary.

  • Turn on Application Guard for Edge (Options)
    Baseline default: Enabled for Edge
    Learn more

    • Block external content from non-enterprise approved sites
      Baseline default: Yes
      Learn more

    • Clipboard behavior
      Baseline default: Block copy and paste between PC and browser
      Learn more

  • Windows network isolation policy
    Baseline default: Configure
    Learn more

    • Network domains
      Baseline default: securitycenter.windows.com

BitLocker

  • Require storage cards to be encrypted (mobile only)
    Baseline default: Yes
    Learn more

    Note

    Support for Windows 10 Mobile and Windows Phone 8.1 ended in August of 2020.

  • Enable full disk encryption for OS and fixed data drives
    Baseline default: Yes
    Learn more

  • BitLocker system drive policy
    Baseline default: Configure
    Learn more

    • Configure encryption method for Operating System drives
      Baseline default: Not configured
      Learn more
  • BitLocker fixed drive policy
    Baseline default: Configure
    Learn more

    • Block write access to fixed data-drives not protected by BitLocker
      Baseline default: Yes
      Learn more
      This setting is available when BitLocker fixed drive policy is set to Configure.

    • Configure encryption method for fixed data-drives
      Baseline default: AES 128bit XTS
      Learn more

  • BitLocker removable drive policy
    Baseline default: Configure
    Learn more

    • Configure encryption method for removable data-drives
      Baseline default: AES 128bit CBC
      Learn more

    • Block write access to removable data-drives not protected by BitLocker
      Baseline default: Not configured
      Learn more

  • Standby states when sleeping while on battery Baseline default: Disabled
    Learn more

  • Standby states when sleeping while plugged in
    Baseline default: Disabled
    Learn more

  • Enable full disk encryption for OS and fixed data drives
    Baseline default: Yes
    Learn more

  • BitLocker system drive policy
    Baseline default: Configure
    Learn more

    • Startup authentication required
      Baseline default: Yes
      Learn more

    • Compatible TPM startup PIN
      Baseline default: Allowed
      Learn more

    • Compatible TPM startup key
      Baseline default: Required
      Learn more

    • Disable BitLocker on devices where TPM is incompatible
      Baseline default: Yes
      Learn more

    • Configure encryption method for Operating System drives
      Baseline default: Not configured
      Learn more

  • BitLocker fixed drive policy
    Baseline default: Configure
    Learn more

    • Block write access to fixed data-drives not protected by BitLocker
      Baseline default: Yes
      Learn more
      This setting is available when BitLocker fixed drive policy is set to Configure.

    • Configure encryption method for fixed data-drives
      Baseline default: AES 128bit XTS
      Learn more

  • BitLocker removable drive policy
    Baseline default: Configure
    Learn more

    • Configure encryption method for removable data-drives
      Baseline default: AES 128bit CBC
      Learn more

    • Block write access to removable data-drives not protected by BitLocker
      Baseline default: Not configured
      Learn more

  • BitLocker system drive policy
    Baseline default: Configure
    Learn more

    • Startup authentication required
      Baseline default: Yes
      Learn more

    • Compatible TPM startup PIN
      Baseline default: Allowed
      Learn more

    • Compatible TPM startup key
      Baseline default: Required
      Learn more

    • Disable BitLocker on devices where TPM is incompatible
      Baseline default: Yes
      Learn more

    • Configure encryption method for Operating System drives
      Baseline default: Not configured
      Learn more

  • Standby states when sleeping while on battery Baseline default: Disabled
    Learn more

  • Standby states when sleeping while plugged in
    Baseline default: Disabled
    Learn more

  • Enable full disk encryption for OS and fixed data drives
    Baseline default: Yes
    Learn more

  • BitLocker fixed drive policy
    Baseline default: Configure
    Learn more

    • Block write access to fixed data-drives not protected by BitLocker
      Baseline default: Yes
      Learn more
      This setting is available when BitLocker fixed drive policy is set to Configure.

    • Configure encryption method for fixed data-drives
      Baseline default: AES 128bit XTS
      Learn more

  • BitLocker removable drive policy
    Baseline default: Configure
    Learn more

    • Configure encryption method for removable data-drives
      Baseline default: AES 128bit CBC
      Learn more

    • Block write access to removable data-drives not protected by BitLocker
      Baseline default: Not configured
      Learn more

Browser

  • Require SmartScreen for Microsoft Edge
    Baseline default: Yes
    Learn more

  • Block malicious site access
    Baseline default: Yes
    Learn more

  • Block unverified file download
    Baseline default: Yes
    Learn more

Data Protection

  • Block direct memory access
    Baseline default: Yes
    Learn more

Device Guard

  • Turn on credential guard
    Baseline default: Enable with UEFI lock
    Learn more

Device Installation

  • Hardware device installation by device identifiers
    Baseline default: Block hardware device installation
    Learn more

    • Remove matching hardware devices Baseline default: Yes

    • Hardware device identifiers that are blocked
      Baseline default: Not configured by default. Manually add one or more device identifiers.

  • Hardware device installation by setup classes
    Baseline default: Block hardware device installation
    Learn more

    • Remove matching hardware devices Baseline default: Not configured

    • Hardware device identifiers that are blocked Baseline default: Not configured by default. Manually add one or more device identifiers.

  • Block hardware device installation by setup classes:
    Baseline default: Yes
    Learn more

    • Remove matching hardware devices:
      Baseline default: Yes

    • Block list
      Baseline default: Not configured by default. Manually add one or more setup class globally unique identifiers.

DMA Guard

  • Enumeration of external devices incompatible with Kernel DMA Protection
    Baseline default: Block all
    Learn more
  • Enumeration of external devices incompatible with Kernel DMA Protection
    Baseline default: Not configured
    Learn more

Endpoint Detection and Response

  • Sample sharing for all files
    Baseline default: Yes
    Learn more

  • Expedite telemetry reporting frequency
    Baseline default: Yes
    Learn more

Firewall

  • Stateful File Transfer Protocol (FTP)
    Baseline default: Disabled
    Learn more

  • Number of seconds a security association can be idle before it's deleted
    Baseline default: 300
    Learn more

  • Preshared key encoding
    Baseline default: UTF8
    Learn more

  • Certificate revocation list (CRL) verification
    Baseline default: Not configured
    Learn more

  • Packet queuing
    Baseline default: Not configured
    Learn more

  • Firewall profile private
    Baseline default: Configure
    Learn more

    • Inbound connections blocked
      Baseline default: Yes
      Learn more

    • Unicast responses to multicast broadcasts required
      Baseline default: Yes
      Learn more

    • Outbound connections required
      Baseline default: Yes
      Learn more

    • Inbound notifications blocked
      Baseline default: Yes
      Learn more

    • Global port rules from group policy merged
      Baseline default: Yes
      Learn more

    • Firewall enabled
      Baseline default: Allowed
      Learn more

    • Authorized application rules from group policy not merged
      Baseline default: Yes
      Learn more

    • Connection security rules from group policy not merged
      Baseline default: Yes
      Learn more

    • Incoming traffic required
      Baseline default: Yes
      Learn more

    • Policy rules from group policy not merged
      Baseline default: Yes
      Learn more

  • Stealth mode blocked
    Baseline default: Yes
    Learn more
  • Firewall profile public
    Baseline default: Configure
    Learn more

    • Inbound connections blocked
      Baseline default: Yes
      Learn more

    • Unicast responses to multicast broadcasts required
      Baseline default: Yes
      Learn more

    • Outbound connections required
      Baseline default: Yes
      Learn more

    • Authorized application rules from group policy not merged
      Baseline default: Yes**
      Learn more

    • Inbound notifications blocked
      Baseline default: Yes
      Learn more

    • Global port rules from group policy merged
      Baseline default: Yes
      Learn more

    • Firewall enabled
      Baseline default: Allowed
      Learn more

    • Connection security rules from group policy not merged
      Baseline default: Yes
      Learn more

    • Incoming traffic required
      Baseline default: Yes
      Learn more

    • Policy rules from group policy not merged
      Baseline default: Yes
      Learn more

  • Stealth mode blocked
    Baseline default: Yes
    Learn more
  • Firewall profile domain
    Baseline default: Configure
    Learn more

    • Unicast responses to multicast broadcasts required
      Baseline default: Yes
      Learn more

    • Authorized application rules from group policy not merged
      Baseline default: Yes
      Learn more

    • Inbound notifications blocked
      Baseline default: Yes
      Learn more

    • Global port rules from group policy merged
      Baseline default: Yes
      Learn more

    • Firewall enabled
      Baseline default: Allowed
      Learn more

    • Connection security rules from group policy not merged
      Baseline default: Yes
      Learn more

    • Policy rules from group policy not merged
      Baseline default: Yes
      Learn more

  • Stealth mode blocked
    Baseline default: Yes
    Learn more

Microsoft Defender

  • Turn on real-time protection
    Baseline default: Yes
    Learn more

  • Additional amount of time (0-50 seconds) to extend cloud protection timeout
    Baseline default: 50
    Learn more

  • Scan all downloaded files and attachments
    Baseline default: Yes
    Learn more

  • Scan type
    Baseline default: Quick scan
    Learn more

  • Defender schedule scan day:
    Baseline default: Everyday

  • Defender scan start time:
    Baseline default: Not configured

  • Defender sample submission consent
    Baseline default: Send safe samples automatically
    Learn more

  • Cloud-delivered protection level
    Baseline default: High
    Learn more

  • Scan removable drives during full scan
    Baseline default: Yes
    Learn more

  • Defender potentially unwanted app action
    Baseline default: Block
    Learn more

  • Turn on cloud-delivered protection
    Baseline default: Yes
    Learn more

  • Turn on real-time protection
    Baseline default: Yes
    Learn more

  • Additional amount of time (0-50 seconds) to extend cloud protection timeout
    Baseline default: 50
    Learn more

  • Scan all downloaded files and attachments
    Baseline default: Yes
    Learn more

  • Scan type
    Baseline default: Quick scan
    Learn more

  • Defender sample submission consent
    Baseline default: Send safe samples automatically
    Learn more

  • Cloud-delivered protection level
    Baseline default: High
    Learn more

  • Scan removable drives during full scan
    Baseline default: Yes
    Learn more

  • Defender potentially unwanted app action
    Baseline default: Block
    Learn more

  • Turn on cloud-delivered protection
    Baseline default: Yes
    Learn more

  • Run daily quick scan at
    Baseline default: 2 AM
    Learn more

  • Scheduled scan start time
    Baseline default: 2 AM

  • Configure low CPU priority for scheduled scans
    Baseline default: Yes
    Learn more

  • Block Office communication apps from creating child processes
    Baseline default: Enable
    Learn more

  • Block Adobe Reader from creating child processes
    Baseline default: Enable
    Learn more

  • Scan incoming email messages
    Baseline default: Yes
    Learn more

  • Turn on real-time protection
    Baseline default: Yes
    Learn more

  • Number of days (0-90) to keep quarantined malware
    Baseline default: 0
    Learn more

  • Defender system scan schedule
    Baseline default: User defined
    Learn more

  • Additional amount of time (0-50 seconds) to extend cloud protection timeout
    Baseline default: 50
    Learn more

  • Scan mapped network drives during a full scan
    Baseline default: Yes
    Learn more

  • Turn on network protection
    Baseline default: Yes
    Learn more

  • Scan all downloaded files and attachments
    Baseline default: Yes
    Learn more

  • Block on access protection
    Baseline default: Not configured
    Learn more

  • Scan browser scripts
    Baseline default: Yes
    Learn more

  • Block user access to Microsoft Defender app
    Baseline default: Yes
    Learn more

  • Maximum allowed CPU usage (0-100 percent) per scan
    Baseline default: 50
    Learn more

  • Scan type
    Baseline default: Quick scan
    Learn more

  • Enter how often (0-24 hours) to check for security intelligence updates
    Baseline default: 8
    Learn more

  • Defender sample submission consent
    Baseline default: Send safe samples automatically
    Learn more

  • Cloud-delivered protection level
    Baseline default: *Not configured
    Learn more

  • Scan archive files
    Baseline default: Yes
    Learn more

  • Turn on behavior monitoring
    Baseline default: Yes
    Learn more

  • Scan removable drives during full scan
    Baseline default: Yes
    Learn more

  • Scan network files
    Baseline default: Yes
    Learn more

  • Defender potentially unwanted app action
    Baseline default: Block
    Learn more

  • Turn on cloud-delivered protection
    Baseline default: Yes
    Learn more

  • Block Office applications from injecting code into other processes
    Baseline default: Block
    Learn more

  • Block Office applications from creating executable content
    Baseline default: Block
    Learn more

  • Block JavaScript or VBScript from launching downloaded executable content
    Baseline default: Block
    Learn more

  • Enable network protection
    Baseline default: Audit mode
    Learn more

  • Block untrusted and unsigned processes that run from USB
    Baseline default: Block
    Learn more

  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
    Baseline default: Enable
    Learn more

  • Block executable content download from email and webmail clients
    Baseline default: Block
    Learn more

  • Block all Office applications from creating child processes
    Baseline default: Block
    Learn more

  • Block execution of potentially obfuscated scripts (js/vbs/ps)
    Baseline default: Block
    Learn more

  • Block Win32 API calls from Office macro
    Baseline default: Block
    Learn more

  • Run daily quick scan at
    Baseline default: 2 AM
    Learn more

  • Scheduled scan start time
    Baseline default: 2 AM

  • Configure low CPU priority for scheduled scans
    Baseline default: Yes
    Learn more

  • Block Office communication apps from creating child processes
    Baseline default: Enable
    Learn more

  • Block Adobe Reader from creating child processes
    Baseline default: Enable
    Learn more

  • Scan incoming email messages
    Baseline default: Yes
    Learn more

  • Turn on real-time protection
    Baseline default: Yes
    Learn more

  • Number of days (0-90) to keep quarantined malware
    Baseline default: 0
    Learn more

  • Defender system scan schedule
    Baseline default: User defined
    Learn more

  • Additional amount of time (0-50 seconds) to extend cloud protection timeout
    Baseline default: 50
    Learn more

  • Scan mapped network drives during a full scan
    Baseline default: Yes
    Learn more

  • Turn on network protection
    Baseline default: Yes
    Learn more

  • Scan all downloaded files and attachments
    Baseline default: Yes
    Learn more

  • Block on access protection
    Baseline default: Not configured
    Learn more

  • Scan browser scripts
    Baseline default: Yes
    Learn more

  • Block user access to Microsoft Defender app
    Baseline default: Yes
    Learn more

  • Maximum allowed CPU usage (0-100 percent) per scan
    Baseline default: 50
    Learn more

  • Scan type
    Baseline default: Quick scan
    Learn more

  • Enter how often (0-24 hours) to check for security intelligence updates
    Baseline default: 8
    Learn more

  • Defender sample submission consent
    Baseline default: Send safe samples automatically
    Learn more

  • Cloud-delivered protection level
    Baseline default: *Not configured
    Learn more

  • Scan archive files
    Baseline default: Yes
    Learn more

  • Turn on behavior monitoring
    Baseline default: Yes
    Learn more

  • Scan removable drives during full scan
    Baseline default: Yes
    Learn more

  • Scan network files
    Baseline default: Yes
    Learn more

  • Defender potentially unwanted app action
    Baseline default: Block
    Learn more

  • Turn on cloud-delivered protection
    Baseline default: Yes
    Learn more

  • Block Office applications from injecting code into other processes
    Baseline default: Block
    Learn more

  • Block Office applications from creating executable content
    Baseline default: Block
    Learn more

  • Block JavaScript or VBScript from launching downloaded executable content
    Baseline default: Block
    Learn more

  • Enable network protection
    Baseline default: Audit mode
    Learn more

  • Block untrusted and unsigned processes that run from USB
    Baseline default: Block
    Learn more

  • Block credential stealing from the Windows local security authority subsystem (lsass.exe)
    Baseline default: Enable
    Learn more

  • Block executable content download from email and webmail clients
    Baseline default: Block
    Learn more

  • Block all Office applications from creating child processes
    Baseline default: Block
    Learn more

  • Block execution of potentially obfuscated scripts (js/vbs/ps)
    Baseline default: Block
    Learn more

  • Block Win32 API calls from Office macro
    Baseline default: Block
    Learn more

Microsoft Defender Security Center

  • Block users from editing the Exploit Guard protection interface
    Baseline default: Yes
    Learn more

Smart Screen

  • Block users from ignoring SmartScreen warnings
    Baseline default: Yes
    Learn more

  • Turn on Windows SmartScreen
    Baseline default: Yes
    Learn more

  • Require SmartScreen for Microsoft Edge
    Baseline default: Yes
    Learn more

  • Block malicious site access
    Baseline default: Yes
    Learn more

  • Block unverified file download
    Baseline default: Yes
    Learn more

  • Configure Microsoft Defender SmartScreen
    Baseline default: Enabled

  • Prevent bypassing Microsoft Defender SmartScreen prompts for sites
    Baseline default: Enabled

  • Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads
    Baseline default: Enabled

  • Configure Microsoft Defender SmartScreen to block potentially unwanted apps
    Baseline default: Enabled

  • Require apps from store only
    Baseline default: Yes

  • Turn on Windows SmartScreen
    Baseline default: Yes
    Learn more

Windows Hello for Business

For more information, see PassportForWork CSP in the Windows documentation.

  • Block Windows Hello for Business
    Baseline default: Disabled

    • Lowercase letters in PIN Baseline default: Allowed

    • Special characters in PIN Baseline default: Allowed

    • Uppercase letters in PIN Baseline default: Allowed

Next steps