Blog Post

Microsoft Security Baselines Blog
2 MIN READ

Security baseline for Windows 10, version 21H2

Rick_Munck's avatar
Rick_Munck
Icon for Microsoft rankMicrosoft
Dec 20, 2021

We are pleased to announce the release of the Windows 10, version 21H2 security baseline package!

 

Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and customize / implement as appropriate.

 

This Windows 10 feature update brings very few new policy settings. One setting has been added for this release for printer driver installation restrictions (which was also added to the Windows 11 release). Additionally, all Microsoft Edge Legacy settings have been removed.

 

Restrict Driver Installations

In July a Knowledge Base article and subsequent patch was released for CVE-2021-34527, more commonly known as “PrintNightmare”. We have added a new setting to the MS Security Guide (Administrative Templates\Printers\Limits print driver installation to Administrators) and enforced the enablement.  Note this setting was previously a custom setting in SecGuide.admx/l and has since moved inbox.

 

Microsoft Edge Legacy

Microsoft Edge Legacy (EdgeHTML-based) reached end of support on March 9, 2021 and is not part of Windows 10 21H2. Therefore, the settings that supported it have been removed from the baseline. Going forward, please use the new Microsoft Edge (Chromium-based) baseline, which is on a separate release cadence and available as part of the Microsoft Security Compliance Toolkit.

 

Tamper Protection

While you are enabling the Microsoft Security Baseline, make sure to enable Microsoft Defender for Endpoint's "Tamper Protection" to add a layer of protection against Human Operated Ransomware.


As a reminder, our security baselines for the endpoint also include Microsoft 365 Apps for Enterprise, which we recently released, as well as Microsoft Edge and Windows Update.

 

Please let us know your thoughts by commenting on this post or via the Security Baseline Community.

Published Dec 20, 2021
Version 1.0
  • ajsilvat IoT is close, you can use the baseline for it, there will be some settings that will not apply because the features do not exist in IoT but overall you shouldn't experience any adverse effect. Standard disclaimer: test first to ensure no issues 🙂

  • ajsilvat's avatar
    ajsilvat
    Copper Contributor

    Hi Rick_Munck 

     

    Thanks for the post, one query, Does this package have the same effect on IoT Versions? P.heh: w10_iot_LTSC_2021.

     

    I remain attentive.
    Thanks

    Albert

  • mktl73's avatar
    mktl73
    Copper Contributor

    Hi @Rick_Munck 

     

    Gentle reminder on my previous post following your remark on the alerting issue

     

    Thanks

     

    Martin

  • mktl73's avatar
    mktl73
    Copper Contributor

    Hi Rick_Munck 

    Would appreciate some help here as we are hitting a confusing situation.

    If I check Get-MpPreference on my PC, I see

    DisableRealtimeMonitoring : False

    This is normal as we want to have real-time monitoring enabled.

     

    If I check the registry, I see

    [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection]
    "DisableRealtimeMonitoring"=dword:00000001

    This is also normal as we want to prevent user interaction (as defined in the setting explanation "If you enable this policy setting, Microsoft Defender Antivirus will not prompt users to take actions on malware detections.")

     

    #1 : can you please confirm that both settings though having the same name do manage different aspects (protection vs user interaction). If so, using the same name was not the best decision ...

     

    The baseline defines

    HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = 0

     

    #2 : is this a mistake linked to the naming or is there really a security benefit in allowing "prompt users to take actions on malware detections"?

     

    Thanks

  • BokChow's avatar
    BokChow
    Copper Contributor

    Does this apply to Windows 10 IoT Enterprise LTSC 2021?

  • Reza_Ameri's avatar
    Reza_Ameri
    Silver Contributor

    Thank you for sharing, you mentioned about the Tamper protection but as you may know it is not possible to manage it with Group Policy and Configuration Manager and it is possible to manage it only using Cloud solutions like MEM. I know it is a behavior by design but it would have been nice if we could manage it using GPO and Configuration Manager too.

  • DST looks like we missed that, thanks for the catch!  We will adjust on the next release, the good news is the content is accurate.

  • DST's avatar
    DST
    Copper Contributor

    Rick_Munck 
    The naming of the Excel worksheet in the Windows 10 version 21H2 Security Baseline.zip is maybe wrong 😉
    FINAL-MS Security Baseline Windows 10 v21H1.xlsx in location:
    Windows-10-v21H2-Security-Baseline/Documentation/

  • w1nd0ws the script is fine, the section you are referring to is an example output when you run the actual script.

  • w1nd0ws's avatar
    w1nd0ws
    Copper Contributor

    Hi. This Windows 10 version 21H2 Security Baseline archive contains incorrect file "MapGuidsToGpoNames.ps1". He is from Windows 2004 and have others values.