Windows 365 Cloud PC security baseline settings for Intune

مقالة
05/03/2022
قراءة خلال 19 دقائق

Note

This security baseline is in public preview.

View the settings that are part of the Windows 365 Cloud PC security baseline that you can deploy with Microsoft Intune. This article details the settings in the available versions of the baseline and the default values for each setting. The default baseline configuration represents the recommended configuration for applicable devices. Defaults for one baseline might not match defaults from other security baselines, or from other versions of this baseline.

Use this baseline to configure Windows 365 devices with a recommended security configuration.

Windows 365 Cloud PC security baseline version 2101

Windows 365 Cloud PC security baseline version 2110

This version of the security baseline replaces previous versions. Profiles that were created prior to the availability of this baseline version:

Are now read-only. You can continue to use those profiles, but can't edit them to change their configuration.
Can be updated to the latest version. After you update to the current baseline version, you can edit the profile to modify settings.

To understand what's changed with this version of the baseline from previous versions, use the Compare baselines action. This action is available when you view the Versions pane for this baseline. Be sure to select the version of the baseline that you want to view.

To update a security baseline profile to the latest version of that baseline, see Change the baseline version for a profile.

This article is a reference for the settings contained in this baseline. For each setting in this article, the default value identifies the Windows 365 Cloud PC team's recommended configuration for that setting as the setting is represented in the baseline. These defaults aren't meant to identify the default configuration of the underlying CSP. Use the provided links to view content for the setting's policy configuration service provider (CSP) or underlying rules like attack surface reduction rule. The links in this document are the same as the links available from within the baseline configuration UI in the Microsoft Endpoint Manager admin center.

You can choose to deploy this baseline in its default configuration to apply that recommended security configuration to devices. You can also create custom instances of the baseline to meet your own security needs.

Tip

Before using or modifying a setting in this baseline, review the he Information text in the Microsoft Endpoint Manager admin center for the setting to learn about its conditions or limitations and when applicable, the CSP the setting applied so.

To learn about using security baselines with Intune and how to upgrade the baseline version in your security baseline profiles, see Use security baselines.
To update the version of a baseline you've already deployed to devices, see Change the baseline version for profile.

Above Lock

Voice activate apps from locked screen:
Baseline default: Disabled
CSP: Privacy/LetAppsActivateWithVoiceAboveLock
Block display of toast notifications:
Baseline default: Yes
CSP AboveLock/AllowToasts

App Runtime

Microsoft accounts optional for Microsoft store apps:
Baseline default: Enabled
CSP appruntime-allowmicrosoftaccountstobeoptional

Application management

Block app installations with elevated privileges:
Baseline default: Yes
CSP ApplicationManagement/MSIAlwaysInstallWithElevatedPrivileges
Block user control over installations:
Baseline default: Yes
CSP ApplicationManagement/MSIAllowUserControlOverInstall
Block game DVR (desktop only):
Baseline default: Yes
CSP ApplicationManagement/AllowGameDVR

Attack Surface Reduction Rules

For general information, see Learn about attack surface reduction rules.

Block Office communication apps from creating child processes:
Baseline default: Enable
ASR rule
Block Adobe Reader from creating child processes:
Baseline default: Enable
ASR rule
Block Office applications from injecting code into other processes:
Baseline default: Block
ASR rule
Block Office applications from creating executable content:
Baseline default: Block
ASR rule
Block JavaScript or VBScript from launching downloaded executable content:
Baseline default: Block
ASR rule
Enable network protection:
Baseline default: Enable
CSP: Defender/EnableNetworkProtection
Block untrusted and unsigned processes that run from USB:
Baseline default: Block
ASR rule
Block credential stealing from the Windows local security authority subsystem (lsass.exe):
Baseline default: Enable
ASR rule
Block all Office applications from creating child processes:
Baseline default: Block
ASR rule
Block execution of potentially obfuscated scripts (js/vbs/ps):
Baseline default: Block
ASR rule
Block Win32 API calls from Office macro:
Baseline default: Block
ASR rule
Block executable content download from email and webmail clients:
Baseline default: Block
ASR rule

Audit

Audit settings configure the events that are generated for the conditions of the setting.

Account Logon Audit Credential Validation (Device):
Baseline default: Success and Failure
Account Logon Audit Kerberos Authentication Service (Device):
Baseline default: None
Account Logon Logoff Audit Account Lockout (Device):
Baseline default: Failure
Account Logon Logoff Audit Group Membership (Device):
Baseline default: Success
Account Logon Logoff Audit Logon (Device):
Baseline default: Success and Failure
Audit Other Logon Logoff Events (Device):
Baseline default: Success and Failure
Audit Special Logon (Device):
Baseline default: Success
Audit Security Group Management (Device):
Baseline default: Success
Audit User Account Management (Device):
Baseline default: Success and Failure
Detailed Tracking Audit PNP Activity (Device):
Baseline default: Success
Detailed Tracking Audit Process Creation (Device):
Baseline default: Success
Object Access Audit Detailed File Share (Device):
Baseline default: Failure
Audit File Share Access (Device):
Baseline default: Success and Failure
Object Access Audit Other Object Access Events (Device):
Baseline default: Success and Failure
Object Access Audit Removable Storage (Device):
Baseline default: Success and Failure
Audit Authentication Policy Change (Device):
Baseline default: Success
Policy Change Audit MPSSVC Rule Level Policy Change (Device):
Baseline default: Success and Failure
Policy Change Audit Other Policy Change Events (Device):
Baseline default: Failure
Audit Changes to Audit Policy (Device):
Baseline default: Success
Privilege Use Audit Sensitive Privilege Use (Device):
Baseline default: Success and Failure
System Audit Other System Events (Device):
Baseline default: Success and Failure
System Audit Security State Change (Device):
Baseline default: Success
Audit Security System Extension (Device):
Baseline default: Success
System Audit System Integrity (Device):
Baseline default: Success and Failure

Auto Play

Auto play default auto run behavior:
Baseline default: Do not execute
CSP Autoplay/SetDefaultAutoRunBehavior
Auto play mode:
Baseline default: Disabled
CSP Autoplay/TurnOffAutoPlay
Block auto play for non-volume devices:
Baseline default: Enabled
CSP Autoplay/DisallowAutoplayForNonVolumeDevices

Browser

Block Password Manager:
Baseline default: Yes
CSP Browser/AllowPasswordManager
Require SmartScreen for Microsoft Edge Legacy:
Baseline default: Yes
CSP Browser/AllowSmartScreen
Block malicious site:
Baseline default: Yes
CSP Browser/PreventSmartScreenPromptOverride
Block unverified file download:
Baseline default: Yes
CSP Browser/PreventSmartScreenPromptOverrideForFiles
Prevent user from overriding certificate errors:
Baseline default: Yes
CSP Browser/PreventCertErrorOverrides

Connectivity

Configure secure access to UNC paths:
Baseline default: Configure Windows to only allow access to the specified UNC paths after fulfilling additional security requirements
CSP Connectivity/HardenedUNCPaths
- Hardened UNC path list:
  Not configured by default. Manually add one or more hardened UNC paths.
Block downloading of print drivers over HTTP:
Baseline default: Enabled
CSP Connectivity/DisableDownloadingOfPrintDriversOverHTTP
Block Internet download for web publishing and online ordering wizards:
Baseline default: Enabled
CSP Connectivity/DisableInternetDownloadForWebPublishingAndOnlineOrderingWizards

Credentials Delegation

Remote host delegation of non-exportable credentials:
Baseline default: Enabled
CSP CredentialsDelegation/RemoteHostAllowsDelegationOfNonExportableCredentials

Credentials UI

Enumerate administrators:
Baseline default: Disabled
CSP CredentialsUI/EnumerateAdministrators

Device Guard

Virtualization based security:
Baseline default: Enable VBS with secure boot
Enable virtualization based security:
Baseline default: Yes
CSP DeviceGuard/EnableVirtualizationBasedSecurity
Launch system guard:
Baseline default: Enabled
Turn on Credential Guard:
Baseline default: Enable with UEFI lock
CSP DeviceGuard

Device Installation

Block hardware device installation by setup classes
Baseline default: Yes
CSP DeviceInstallation/AllowInstallationOfMatchingDeviceSetupClasses
- Remove matching hardware devices
  Baseline default: Yes
- Block list
  Not configured by default. Manually add one or more Identifiers.

DMA Guard

Enumeration of external devices incompatible with Kernel DMA Protection
Baseline default: Block all

Event Log Service

Application log maximum file size in KB
Baseline default: 32768
CSP EventLogService/SpecifyMaximumFileSizeApplicationLog
System log maximum file size in KB
Baseline default: 32768
CSP specifymaximumfilesizesystemlog
Security log maximum file size in KB
Baseline default: 196608
CSP EventLogService/SpecifyMaximumFileSizeSecurityLog

Experience

Block Windows Spotlight
Baseline default: Yes
CSP Experience/AllowWindowsSpotlight

File Explorer

Block data execution prevention
Baseline default: Disabled
CSP FileExplorer/TurnOffDataExecutionPreventionForExplorer
Block heap termination on corruption
Baseline default: Disabled
CSP FileExplorer/TurnOffHeapTerminationOnCorruption

Firewall

Firewall profile domain
Baseline default: Configure
2.2.2 FW_PROFILE_TYPE
- Inbound connections blocked
  Baseline default: Yes
  CSP Firewall/DefaultInboundAction
- Outbound connections required
  Baseline default: Yes
  CSP Firewall/DefaultOutboundAction
- Inbound notifications blocked
  Baseline default: Yes
  CSP Firewall/DisableInboundNotifications
- Firewall enabled
  Baseline default: Allowed
  CSP Firewall/EnableFirewall
Firewall profile private
Baseline default: Configure
2.2.2 FW_PROFILE_TYPE
- Inbound connections blocked
  Baseline default: Yes
  CSP Firewall/DefaultInboundAction
- Outbound connections required
  Baseline default: Yes
  CSP Firewall/DefaultOutboundAction
- Inbound notifications blocked
  Baseline default: Yes
  CSP Firewall/DisableInboundNotifications
- Firewall enabled
  Baseline default: Allowed
  CSP Firewall/EnableFirewall
Firewall profile public
Baseline default: Configure
2.2.2 FW_PROFILE_TYPE
- Inbound connections blocked
  Baseline default: Yes
  CSP Firewall/DefaultInboundAction
- Outbound connections required
  Baseline default: Yes
  CSP Firewall/DefaultOutboundAction
- Inbound notifications blocked
  Baseline default: Yes
  CSP Firewall/DisableInboundNotifications
- Firewall enabled
  Baseline default: Allowed
  CSP Firewall/EnableFirewall
- Connection security rules from group policy not merged
  Baseline default: Yes
  CSP Firewall/AllowLocalIpsecPolicyMerge
- Policy rules from group policy not merged
  Baseline default: Yes
  CSP Firewall/AllowLocalPolicyMerge

Internet Explorer

Internet Explorer encryption support
Baseline defaults:
- TLS v1.1
- TLS v1.2
CSP InternetExplorer/DisableEncryptionSupport
Internet Explorer prevent managing smart screen filter
Baseline default: Enable
CSP InternetExplorer/PreventManagingSmartScreenFilter
Internet Explorer restricted zone script Active X controls marked safe for scripting
Baseline default: Disable
CSP InternetExplorer/RestrictedSitesZoneScriptActiveXControlsMarkedSafeForScripting
Internet Explorer restricted zone file downloads
Baseline default: Disable
CSP InternetExplorer/RestrictedSitesZoneAllowFileDownloads
Internet Explorer certificate address mismatch warning
Baseline default: Disable
CSP InternetExplorer/AllowCertificateAddressMismatchWarning
Internet Explorer enhanced protected mode
Baseline default: Disable
CSP InternetExplorer/AllowEnhancedProtectedMode
Internet Explorer fallback to SSL3
Baseline default: No sites
CSP InternetExplorer/AllowFallbackToSSL3
Internet Explorer software when signature is invalid
Baseline default: Disable
CSP InternetExplorer/AllowSoftwareWhenSignatureIsInvalid
Internet Explorer check server certificate revocation
Baseline default: Enable
CSP InternetExplorer/CheckServerCertificateRevocation
Internet Explorer check signatures on downloaded programs
Baseline default: Enable
CSP InternetExplorer/CheckSignaturesOnDownloadedPrograms
Internet Explorer processes consistent MIME handling
Baseline default: Enable
CSP InternetExplorer/ConsistentMimeHandlingInternetExplorerProcesses
Internet Explorer bypass smart screen warnings
Baseline default: Disable
CSP InternetExplorer/DisableBypassOfSmartScreenWarnings
Internet Explorer bypass smart screen warnings about uncommon files
Baseline default: Disable
CSP InternetExplorer/DisableBypassOfSmartScreenWarningsAboutUncommonFiles
Internet Explorer crash detection
Baseline default: Disable
CSP InternetExplorer/DisableCrashDetection
Internet Explorer download enclosures
Baseline default: Disable
CSP InternetExplorer/DisableEnclosureDownloading
Internet Explorer ignore certificate errors
Baseline default: Disable
CSP InternetExplorer/DisableIgnoringCertificateErrors
Internet Explorer disable processes in enhanced protected mode
Baseline default: Enable
CSP InternetExplorer/DisableProcessesInEnhancedProtectedMode
Internet Explorer security settings check
Baseline default: Enabled
CSP InternetExplorer/DisableSecuritySettingsCheck
Internet Explorer Active X controls in protected mode
Baseline default: Disabled
CSP InternetExplorer/DoNotAllowActiveXControlsInProtectedMode
Internet Explorer users adding sites
Baseline default: Disabled
CSP InternetExplorer/DoNotAllowUsersToAddSites
Internet Explorer users changing policies
Baseline default: Disabled
CSP InternetExplorer/DoNotAllowUsersToChangePolicies
Internet Explorer block outdated Active X controls
Baseline default: Enabled
CSP InternetExplorer/DoNotBlockOutdatedActiveXControls
Internet Explorer include all network paths
Baseline default: Disabled
CSP InternetExplorer/IncludeAllNetworkPaths
Internet Explorer internet zone access to data sources
Baseline default: Disable
CSP InternetExplorer/InternetZoneAllowAccessToDataSources
Internet Explorer internet zone automatic prompt for file downloads
Baseline default: Disabled
CSP InternetExplorer/InternetZoneAllowAutomaticPromptingForFileDownloads
Internet Explorer internet zone copy and paste via script
Baseline default: Disable
CSP InternetExplorer/InternetZoneAllowCopyPasteViaScript
Internet Explorer internet zone drag and drop or copy and paste files
Baseline default: Disable
CSP InternetExplorer/InternetZoneAllowDragAndDropCopyAndPasteFiles
Internet Explorer internet zone less privileged sites
Baseline default: Disable
CSP InternetExplorer/InternetZoneAllowLessPrivilegedSites
Internet Explorer internet zone loading of XAML files
Baseline default: Disable
CSP InternetExplorer/InternetZoneAllowLoadingOfXAMLFiles
Internet Explorer internet zone .NET Framework reliant components
Baseline default: Disable
CSP InternetExplorer/InternetZoneAllowNETFrameworkReliantComponents
Internet Explorer internet zone allows only approved domains to use ActiveX controls
Baseline default: Enabled
CSP InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseActiveXControls
Internet Explorer internet zone allows only approved domains to use tdc ActiveX controls
Baseline default: Enabled
CSP InternetExplorer/InternetZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl
Internet Explorer internet zone scripting of web browser controls
Baseline default: Disabled
CSP InternetExplorer/InternetZoneAllowScriptingOfInternetExplorerWebBrowserControls
Internet Explorer internet zone script initiated windows
Baseline default: Disabled
CSP InternetExplorer/InternetZoneAllowScriptInitiatedWindows
Internet Explorer internet zone scriptlets
Baseline default: Disable
CSP InternetExplorer/InternetZoneAllowScriptlets
Internet Explorer internet zone smart screen
Baseline default: Enabled
CSP InternetExplorer/InternetZoneAllowSmartScreenIE
Internet Explorer internet zone updates to status bar via script
Baseline default: Disabled
CSP InternetExplorer/InternetZoneAllowUpdatesToStatusBarViaScript
Internet Explorer internet zone user data persistence
Baseline default: Disabled
CSP InternetExplorer/InternetZoneAllowUserDataPersistence
Internet Explorer internet zone allows VBscript to run
Baseline default: Disable
CSP InternetExplorer/InternetZoneAllowVBScriptToRunInInternetExplorer
Internet Explorer internet zone do not run antimalware against ActiveX controls
Baseline default: Disabled
CSP InternetExplorer/InternetZoneDoNotRunAntimalwareAgainstActiveXControls
Internet Explorer internet zone download signed ActiveX controls
Baseline default: Disable
CSP InternetExplorer/InternetZoneDownloadSignedActiveXControls
Internet Explorer internet zone download unsigned ActiveX controls
Baseline default: Disable
CSP InternetExplorer/InternetZoneDownloadUnsignedActiveXControls
Internet Explorer internet zone cross site scripting filter
Baseline default: Enabled
CSP InternetExplorer/InternetZoneEnableCrossSiteScriptingFilter
Internet Explorer internet zone drag content from different domains across windows
Baseline default: Disabled
CSP InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows
Internet Explorer internet zone drag content from different domains within windows
Baseline default: Disabled
CSP InternetExplorer/InternetZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows
Internet Explorer internet zone protected mode
Baseline default: Enable
CSP InternetExplorer/InternetZoneEnableProtectedMode
Internet Explorer internet zone include local path when uploading files to server
Baseline default: Disabled
CSP InternetExplorer/InternetZoneIncludeLocalPathWhenUploadingFilesToServer
Internet Explorer internet zone initialize and script Active X controls not marked as safe
Baseline default: Disable
CSP InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe
Internet Explorer internet zone java permissions
Baseline default: Disable java
CSP InternetExplorer/InternetZoneJavaPermissions
Internet Explorer internet zone launch applications and files in an iframe
Baseline default: Disable
CSP InternetExplorer/InternetZoneLaunchingApplicationsAndFilesInIFRAME
Internet Explorer internet zone logon options
Baseline default: Prompt
CSP InternetExplorer/InternetZoneLogonOptions
Internet Explorer internet zone navigate windows and frames across different domains
Baseline default: Disable
CSP InternetExplorer/InternetZoneNavigateWindowsAndFrames
Internet Explorer internet zone run .NET Framework reliant components signed with Authenticode
Baseline default: Disable
CSP InternetExplorer/InternetZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode
Internet Explorer internet zone security warning for potentially unsafe files
Baseline default: Prompt
CSP InternetExplorer/InternetZoneShowSecurityWarningForPotentiallyUnsafeFiles
Internet Explorer internet zone popup blocker
Baseline default: Enable
CSP InternetExplorer/InternetZoneUsePopupBlocker
Internet Explorer intranet zone do not run antimalware against Active X controls
Baseline default: Disabled
CSP InternetExplorer/IntranetZoneDoNotRunAntimalwareAgainstActiveXControls
Internet Explorer intranet zone initialize and script Active X controls not marked as safe
Baseline default: Disable
CSP InternetExplorer/IntranetZoneInitializeAndScriptActiveXControls
Internet Explorer intranet zone java permissions
Baseline default: High safety
CSP InternetExplorer/IntranetZoneJavaPermissions
Internet Explorer local machine zone do not run antimalware against Active X controls
Baseline default: Disabled
CSP InternetExplorer/LocalMachineZoneDoNotRunAntimalwareAgainstActiveXControls
Internet Explorer local machine zone java permissions
Baseline default: Disable java
CSP InternetExplorer/LocalMachineZoneJavaPermissions
Internet Explorer locked down internet zone smart screen
Baseline default: Enabled
CSP InternetExplorer/LockedDownInternetZoneAllowSmartScreenIE
Internet Explorer locked down intranet zone java permissions
Baseline default: Disable java
CSP InternetExplorer/LockedDownIntranetJavaPermissions
Internet Explorer locked down local machine zone java permissions
Baseline default: Disable java
CSP InternetExplorer/LockedDownLocalMachineZoneJavaPermissions
Internet Explorer locked down restricted zone smart screen
Baseline default: Enabled
CSP InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE
Internet Explorer locked down restricted zone java permissions
Baseline default: Disable java
CSP InternetExplorer/LockedDownRestrictedSitesZoneJavaPermissions
Internet Explorer locked down trusted zone java permissions
Baseline default: Disable java
CSP InternetExplorer/LockedDownTrustedSitesZoneJavaPermissions
Internet Explorer processes MIME sniffing safety feature
Baseline default: Enabled
CSP InternetExplorer/MimeSniffingSafetyFeatureInternetExplorerProcesses
Internet Explorer processes MK protocol security restriction
Baseline default: Enabled
CSP InternetExplorer/MKProtocolSecurityRestrictionInternetExplorerProcesses
Internet Explorer processes notification bar
Baseline default: Enabled
CSP InternetExplorer/NotificationBarInternetExplorerProcesses
Internet Explorer prevent per user installation of Active X controls
Baseline default: Enabled
CSP InternetExplorer/PreventPerUserInstallationOfActiveXControls
Internet Explorer processes protection from zone elevation
Baseline default: Enabled
CSP InternetExplorer/ProtectionFromZoneElevationInternetExplorerProcesses
Internet Explorer remove run this time button for outdated Active X controls
Baseline default: Enabled
CSP InternetExplorer/RemoveRunThisTimeButtonForOutdatedActiveXControls
Internet Explorer processes restrict Active X install
Baseline default: Enabled
CSP InternetExplorer/RestrictActiveXInstallInternetExplorerProcesses
Internet Explorer restricted zone access to data sources
Baseline default: Disable
CSP InternetExplorer/RestrictedSitesZoneAllowAccessToDataSources
Internet Explorer restricted zone active scripting
Baseline default: Disable
CSP InternetExplorer/RestrictedSitesZoneAllowActiveScripting
Internet Explorer restricted zone automatic prompt for file downloads
Baseline default: Disabled
CSP InternetExplorer/RestrictedSitesZoneAllowAutomaticPromptingForFileDownloads
Internet Explorer restricted zone binary and script behaviors
Baseline default: Disable
CSP InternetExplorer/RestrictedSitesZoneAllowBinaryAndScriptBehaviors
Internet Explorer restricted zone copy and paste via script
Baseline default: Disable
CSP InternetExplorer/RestrictedSitesZoneAllowCopyPasteViaScript
Internet Explorer restricted zone drag and drop or copy and paste files
Baseline default: Disable
CSP InternetExplorer/RestrictedSitesZoneAllowDragAndDropCopyAndPasteFiles
Internet Explorer restricted zone less privileged sites
Baseline default: Disable
CSP InternetExplorer/InternetZoneAllowLessPrivilegedSites
Internet Explorer restricted zone loading of XAML files
Baseline default: Disable
CSP InternetExplorer/RestrictedSitesZoneAllowLoadingOfXAMLFiles
Internet Explorer restricted zone meta refresh
Baseline default: Disabled
CSP InternetExplorer/RestrictedSitesZoneAllowMETAREFRESH
Internet Explorer restricted zone .NET Framework reliant components
Baseline default: Disable
CSP InternetExplorer/RestrictedSitesZoneAllowNETFrameworkReliantComponents
Internet Explorer restricted zone allows only approved domains to use Active X controls
Baseline default: Enabled
CSP InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseActiveXControls
Internet Explorer restricted zone allows only approved domains to use tdc Active X controls
Baseline default: Enabled
CSP InternetExplorer/RestrictedSitesZoneAllowOnlyApprovedDomainsToUseTDCActiveXControl
Internet Explorer restricted zone scripting of web browser controls
Baseline default: Disabled
CSP InternetExplorer/RestrictedSitesZoneAllowScriptingOfInternetExplorerWebBrowserControls
Internet Explorer restricted zone script initiated windows
Baseline default: Disabled
CSP InternetExplorer/RestrictedSitesZoneAllowScriptInitiatedWindows
Internet Explorer restricted zone scriptlets
Baseline default: Disabled
CSP InternetExplorer/RestrictedSitesZoneAllowScriptlets
Internet Explorer restricted zone smart screen
Baseline default: Enabled
CSP InternetExplorer/RestrictedSitesZoneAllowSmartScreenIE
Internet Explorer restricted zone updates to status bar via script
Baseline default: Disabled
CSP InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence
Internet Explorer restricted zone user data persistence
Baseline default: Disabled
CSP InternetExplorer/RestrictedSitesZoneAllowUserDataPersistence
Internet Explorer restricted zone allows vbscript to run
Baseline default: Disable
CSP InternetExplorer/RestrictedSitesZoneAllowVBScriptToRunInInternetExplorer
Internet Explorer restricted zone do not run antimalware against Active X controls
Baseline default: Disabled
CSP InternetExplorer/RestrictedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
Internet Explorer restricted zone download signed Active X controls
Baseline default: Disable
CSP InternetExplorer/RestrictedSitesZoneDownloadSignedActiveXControls
Internet Explorer restricted zone download unsigned Active X controls
Baseline default: Disable
CSP InternetExplorer/RestrictedSitesZoneDownloadUnsignedActiveXControls
Internet Explorer restricted zone cross site scripting filter
Baseline default: Enabled
CSP InternetExplorer/RestrictedSitesZoneEnableCrossSiteScriptingFilter
Internet Explorer restricted zone drag content from different domains across windows
Baseline default: Disabled
CSP InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows
Internet Explorer restricted zone drag content from different domains within windows
Baseline default: Disabled
CSP InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsWithinWindows
Internet Explorer restricted zone include local path when uploading files to server
Baseline default: Disabled
CSP InternetExplorer/RestrictedSitesZoneIncludeLocalPathWhenUploadingFilesToServer
Internet Explorer restricted zone initialize and script Active X controls not marked as safe
Baseline default: Disable
CSP InternetExplorer/RestrictedSitesZoneInitializeAndScriptActiveXControls
Internet Explorer restricted zone java permissions
Baseline default: Disable java
CSP InternetExplorer/RestrictedSitesZoneJavaPermissions
Internet Explorer restricted zone launch applications and files in an iFrame
Baseline default: Disable
CSP InternetExplorer/RestrictedSitesZoneLaunchingApplicationsAndFilesInIFRAME
Internet Explorer restricted zone logon options
Baseline default: Anonymous
CSP InternetExplorer/RestrictedSitesZoneLogonOptions
Internet Explorer restricted zone navigate windows and frames across different domains
Baseline default: Disable
CSP InternetExplorer/RestrictedSitesZoneEnableDraggingOfContentFromDifferentDomainsAcrossWindows
Internet Explorer restricted zone run Active X controls and plugins
Baseline default: Disable
CSP InternetExplorer/RestrictedSitesZoneRunActiveXControlsAndPlugins
Internet Explorer restricted zone run .NET Framework reliant components signed with Authenticode
Baseline default: Disable
CSP InternetExplorer/RestrictedSitesZoneRunNETFrameworkReliantComponentsSignedWithAuthenticode
Internet Explorer restricted zone scripting of java applets
Baseline default: Disable
CSP InternetExplorer/RestrictedSitesZoneScriptingOfJavaApplets
Internet Explorer restricted zone security warning for potentially unsafe files
Baseline default: Disable
CSP InternetExplorer/RestrictedSitesZoneShowSecurityWarningForPotentiallyUnsafeFiles
Internet Explorer restricted zone protected mode
Baseline default: Enable
CSP InternetExplorer/RestrictedSitesZoneTurnOnProtectedMode
Internet Explorer restricted zone popup blocker
Baseline default: Enable
CSP InternetExplorer/RestrictedSitesZoneUsePopupBlocker
Internet Explorer processes restrict file download
Baseline default: Enabled
CSP InternetExplorer/RestrictFileDownloadInternetExplorerProcesses
Internet Explorer processes scripted window security restrictions
Baseline default: Enabled
CSP InternetExplorer/ScriptedWindowSecurityRestrictionsInternetExplorerProcesses
Internet Explorer security zones use only machine settings
Baseline default: Enabled
CSP InternetExplorer/SecurityZonesUseOnlyMachineSettings
Internet Explorer use Active X installer service
Baseline default: Enabled
CSP InternetExplorer/SpecifyUseOfActiveXInstallerService
Internet Explorer trusted zone do not run antimalware against Active X controls
Baseline default: Disabled
CSP InternetExplorer/TrustedSitesZoneDoNotRunAntimalwareAgainstActiveXControls
Internet Explorer trusted zone initialize and script Active X controls not marked as safe
Baseline default: Disable
CSP InternetExplorer/InternetZoneInitializeAndScriptActiveXControlsNotMarkedSafe
Internet Explorer trusted zone java permissions
Baseline default: High safety
CSP InternetExplorer/TrustedSitesZoneJavaPermissions
Internet Explorer auto complete
Baseline default: Disabled
CSP InternetExplorer/AllowAutoComplete

Local Policies Security Options

Block remote logon with blank password
Baseline default: Yes
CSP LocalPoliciesSecurityOptions/Accounts_LimitLocalAccountUseOfBlankPasswordsToConsoleLogonOnly
Minutes of lock screen inactivity until screen saver activates
Baseline default: 15
CSP LocalPoliciesSecurityOptions/InteractiveLogon_MachineInactivityLimit
Smart card removal behavior
Baseline default: Lock workstation
CSP LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
Require client to always digitally sign communications
Baseline default: Yes
CSP LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways
Prevent clients from sending unencrypted passwords to third party SMB servers
Baseline default: Yes
CSP LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers
Require server digitally signing communications always
Baseline default: Yes
CSP LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways
Prevent anonymous enumeration of SAM accounts
Baseline default: Yes
CSP LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts
Block anonymous enumeration of SAM accounts and shares
Baseline default: Yes
CSP LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSamAccountsAndShares
Restrict anonymous access to named pipes and shares
Baseline default: Yes
CSP LocalPoliciesSecurityOptions/NetworkAccess_RestrictAnonymousAccessToNamedPipesAndShares
Allow remote calls to security accounts manager
Baseline default: O:BAG:BAD:(A;;RC;;;BA)
CSP LocalPoliciesSecurityOptions/NetworkAccess_RestrictClientsAllowedToMakeRemoteCallsToSAM
Prevent storing LAN manager hash value on next password change
Baseline default: Yes
CSP LocalPoliciesSecurityOptions/NetworkSecurity_DoNotStoreLANManagerHashValueOnNextPasswordChange
Authentication level
Baseline default: Send NTLMv2 response only. Refuse LM and NTLM
CSP LocalPoliciesSecurityOptions/NetworkSecurity_LANManagerAuthenticationLevel
Minimum session security for NTLM SSP based clients
Baseline default: Require NTLM V2 and 128 bit encryption
CSP LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedClients
Minimum session security for NTLM SSP based servers
Baseline default: Require NTLM V2 and 128 bit encryption
CSP LocalPoliciesSecurityOptions/NetworkSecurity_MinimumSessionSecurityForNTLMSSPBasedServers
Administrator elevation prompt behavior
Baseline default: Prompt for consent on the secure desktop
CSP LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForAdministrators
Standard user elevation prompt behavior
Baseline default: Automatically deny elevation requests
CSP LocalPoliciesSecurityOptions/UserAccountControl_BehaviorOfTheElevationPromptForStandardUsers
Detect application installations and prompt for elevation
Baseline default: Yes
CSP LocalPoliciesSecurityOptions/UserAccountControl_DetectApplicationInstallationsAndPromptForElevation
Only allow UI access applications for secure locations
Baseline default: Yes
CSP LocalPoliciesSecurityOptions/UserAccountControl_OnlyElevateUIAccessApplicationsThatAreInstalledInSecureLocations
Require admin approval mode for administrators
Baseline default: Yes
CSP LocalPoliciesSecurityOptions/UserAccountControl_UseAdminApprovalMode
Use admin approval mode
Baseline default: Yes
CSP LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode
Virtualize file and registry write failures to per user locations
Baseline default: Yes
CSP LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations

Microsoft Defender

Turn on real-time protection
Baseline default: Yes
CSP Defender/AllowRealtimeMonitoring
Scan scripts that are used in Microsoft browsers
Baseline default: Yes CSP Defender/AllowScriptScanning
Additional amount of time (0-50 seconds) to extend cloud protection timeout
Baseline default: 50
CSP Defender/CloudExtendedTimeout
Scan all downloaded files and attachments
Baseline default: Yes
CSP Defender/AllowIOAVProtection
Scan type
Baseline default: Quick scan
CSP Defender/ScanParameter
Defender schedule scan day
Baseline default: Everyday
Scheduled scan start time
Baseline default: Not configured
Defender sample submission consent
Baseline default: Send safe samples automatically
CSP Defender/SubmitSamplesConsent
Cloud-delivered protection level
Baseline default: High
CSP Defender/CloudBlockLevel
Scan removable drives during full scan
Baseline default: Yes
CSP Defender/AllowFullScanRemovableDriveScanning
Defender potentially unwanted app action
Baseline default: Block
CSP Defender/PUAProtection
Turn on cloud-delivered protection
Baseline default: Yes
CSP Defender/AllowCloudProtection

Microsoft Defender Antivirus Exclusions

Defender Processes to exclude
Baseline defaults:
- %ProgramFiles%\FSLogix\Apps\frxccd.exe
- %ProgramFiles%\FSLogix\Apps\frxccds.exe
- %ProgramFiles%\FSLogix\Apps\frxsvc.exe
File extensions to exclude from scans and real-time protection
Baseline defaults:
- %ProgramFiles%\FSLogix\Apps\frxdrv.sys
- %ProgramFiles%\FSLogix\Apps\frxdrvvts.sys
- %%ProgramFiles%\FSLogix\Apps\frxccd.sys
- %TEMP%.VHD*
- %Windir%\TEMP*.VHD
- %Windir%\TEMP*.VHDX
- \\storageaccount.file.core.windows.net\share**.VHD
- \\storageaccount.file.core.windows.net\share**.VHDX
Defender Files And Folders To Exclude
Baseline default:
This setting has no default entries.

Microsoft Edge

Control which extensions cannot be installed
Baseline default: Enabled
- Extension IDs the user should be prevented from installing (or * for all)
  Baseline default:
  - *
Allow user-level native messaging hosts (installed without admin permissions)
Baseline default: Disabled
Minimum SSL version enabled
Baseline default: Enabled
- Minimum SSL version enabled
  Baseline default: TLS 1.2
Allow users to proceed from the SSL warning page
Baseline default: Disabled
Configure Microsoft Defender SmartScreen
Baseline default: Enabled
Prevent bypassing Microsoft Defender SmartScreen prompts for sites
Baseline default: Enabled
Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads
Baseline default: Enabled
Configure Microsoft Defender SmartScreen to block potentially unwanted apps
Baseline default: Enabled
Default Adobe Flash setting
Baseline default: Enabled
- Default Adobe Flash setting
  Baseline default: Block the Adobe Flash plugin
Enable saving passwords to the password manager
Baseline default: Disabled
Enable site isolation for every site
Baseline default: Enabled
Supported authentication schemes
Baseline default: Enabled
- Supported authentication schemes
  Baseline defaults:
  - NTLM
  - Negotiate

MS Security Guide

SMB v1 client driver start configuration
Baseline default: Disable driver
CSP MSSecurityGuide/ConfigureSMBV1ClientDriver
Apply UAC restrictions to local accounts on network logon
Baseline default: Enabled
CSP MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon
Structured exception handling overwrite protection
Baseline default: Enabled
CSP MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection
SMB v1 server
Baseline default: Disabled
CSP MSSecurityGuide/ConfigureSMBV1Server
Digest authentication
Baseline default: Disabled
CSP MSSecurityGuide/WDigestAuthentication

MSS Legacy

Network IPv6 source routing protection level
Baseline default: Highest protection
CSP MSSLegacy/IPv6SourceRoutingProtectionLevel
Network IP source routing protection level
Baseline default: Highest protection
CSP MSSLegacy/IPSourceRoutingProtectionLevel
Network ignore NetBIOS name release requests except from WINS servers
Baseline default: Enabled
CSP MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers
Network ICMP redirects override OSPF generated routes
Baseline default: Disabled
CSP MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes

Remote Assistance

Remote Assistance solicited Baseline default: Disable Remote Assistance
CSP RemoteAssistance/SolicitedRemoteAssistance

Remote Desktop Services

Remote desktop services client connection encryption level
Baseline default: High
CSP RemoteDesktopServices/ClientConnectionEncryptionLevel
Block drive redirection
Baseline default: Enabled
Block password saving
Baseline default: Enabled
CSP RemoteDesktopServices/DoNotAllowPasswordSaving
Prompt for password upon connection
Baseline default: Enabled
CSP RemoteDesktopServices/PromptForPasswordUponConnection
Secure RPC communication
Baseline default: Enabled
CSP RemoteDesktopServices/RequireSecureRPCCommunication

Remote Management

Block client digest authentication
Baseline default: Enabled
CSP RemoteManagement/DisallowNegotiateAuthenticationClient
Block storing run as credentials
Baseline default: Enabled
CSP RemoteManagement/DisallowStoringOfRunAsCredentials
Client basic authentication
Baseline default: Disabled
CSP RemoteManagement/AllowBasicAuthentication_Client
Basic authentication
Baseline default: Disabled
CSP RemoteManagement/AllowBasicAuthentication_Service
Client unencrypted traffic
Baseline default: Disabled
CSP RemoteManagement/AllowUnencryptedTraffic_Client
Unencrypted traffic
Baseline default: Disabled
CSP RemoteManagement/AllowUnencryptedTraffic_Service

Remote Procedure Call

RPC unauthenticated client options
Baseline default: Authenticated
CSP RemoteProcedureCall/RPCEndpointMapperClientAuthentication

Search

Disable indexing encrypted items
Baseline default: Yes
CSP Search/AllowIndexingEncryptedStoresOrItems

Smart Screen

Turn on Windows SmartScreen
Baseline default: Yes
CSP SmartScreen/EnableSmartScreenInShell
Block users from ignoring SmartScreen warnings
Baseline default: Yes
CSP SmartScreen/PreventOverrideForFilesInShell

System

System boot start driver initialization
Baseline default: Good unknown and bad critical
CSP System/BootStartDriverInitialization

Windows Connection Manager

Block connection to non-domain networks
Baseline default: Enabled
CSP WindowsConnectionManager/ProhitConnectionToNonDomainNetworksWhenConnectedToDomainAuthenticatedNetwork

Windows Ink Workspace

Ink Workspace
Baseline default: Enabled
CSP WindowsInkWorkspace/AllowWindowsInkWorkspace

Windows PowerShell

PowerShell script block logging
Baseline default: Enabled
CSP WindowsPowerShell/TurnOnPowerShellScriptBlockLogging

Windows Security

Enable tamper protection to prevent Microsoft Defender being disabled
Baseline default: Enable
Reference for Tamper Protection