Microsoft is pleased to announce the release of the security baseline package for Windows 11, version 24H2!
Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and customize / implement as appropriate.
This release includes several changes to further assist in the security of enterprise customers, including additional protections to LAN Manager, Kerberos, User Account Control, Microsoft Defender Antivirus updates, and more.
You may have seen previous discussions on the Mark of the Web (MotW) within our baselines at some point. A new setting has been added and configured, located at Windows Components\File Explorer\Do not apply the Mark of the Web tag to files copied from insecure sources. This new setting will be enforced with a value of Disabled. This adds the MotW when copying a file from a network share (in the Internet Zone) into the local file system. If necessary, Zone Mapping can be used to map any file shares that are deemed trusted into the Trusted/Intranet Zones.
For each release, we conduct a complete review of settings as part of our security baseline. Based on the latest review, we are updating our recommended settings for LAN Manager (Lanman) including Lanman Server and Lanman Workstation.
A new setting, located at System\KDC and System\Kerberos, has been added for smart card crypto agility. This setting lets users configure the hash algorithm to be used in certificate-based smart card (PKINIT) authentication of Kerberos. With this configuration, customers have the option to prevent SHA-1 from being used. The security baseline recommends support for SHA-256, SHA-384, and SHA-512, but does not recommend support for SHA-1. It’s important to note these settings are useful only if both the client and KDC (Windows Server 2025) are configured this way in the environment.
Located at System\Configure the behavior of the sudo command, this setting allows the customization of how the sudo command operates. Sudo for Windows can be used as a potential escalation of privilege vector when enabled in certain configurations. The baseline configures this setting to a value of Disabled, which disables sudo for Windows.
Microsoft Defender Antivirus (MDAV) plays a critical part in our security story. We are constantly making improvements to the product and have included six new settings in this release.
Two settings affecting User Account Control have been added.
The following settings should be evaluated based on your environment.
We have introduced a new policy called Enable delegated Managed Service Account (dMSA) Logons which is located at System\Kerberos. This controls dMSA logons for the machine. If you enable this policy setting, dMSA logons will be supported by the Kerberos client. Please review the prerequisites before adjusting the policy setting.
By default, dMSA is disabled because the Domain Controller (DC) must also be upgraded to Windows Server 2025 for the feature to function properly. If the DC is running a version earlier than Server 2025, the necessary schema updates for dMSA will not be present.
If your DC has been upgraded to Windows Server 2025, we suggest enabling this policy on both the client and DC sides. When enabled, you may need to specify realms, i.e., which domains or parts of the directory can authenticate and access the dMSA account. A child domain on an older server version can still interact with the accounts while maintaining security boundaries. It allows for a smoother transition and coexistence of features across a mixed-version environment. For example, if you have a primary domain called corp.contoso.com running on Windows Server 2025 and an older child domain called legacy.corp.contoso.com running on an older version of Windows Server (e.g., Windows Server 2022), you may specify the realm as legacy.corp.contoso.com. To learn more, see Setting up delegated Managed Service Accounts (dMSA) in Windows Server 2025.
Windows Protected Print (WPP) is the new, modern and more secure print for Windows built from the ground up with security in mind. WPP blocks 3rd party drivers and hardens the entire print stack from attacks. WPP is designed to work with Mopria certified printers. While not yet configured in the security baseline, we recommend you consider the setting Printers\Configure Windows protected print as later versions of the baselines will look to enable this very important feature. You can learn more about the security benefits in our blog post.
There are several Microsoft Defender Antivirus (MDAV) settings we recommend you consider.
The following two settings are specific to VDI environments.
We have decided to remove System\Group Policy\Configure registry policy processing from the security baseline after feedback from our support engineers on the numerous issues that were being traced back to it.
Several minor discrepancies between the documentation and group policies were noted since the last release. These should all be addressed going forward.
Please let us know your thoughts by commenting on this post or through the Security Baseline Community.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.