Level 1 Enterprise Basic Security configuration

Applies to

Windows 10

Level 1 is the minimum security configuration for an enterprise device. Microsoft recommends the following configuration for level 1 devices.

Hardware

Devices targeting Level 1 should support the following hardware features:

Trusted Platform Module (TPM) 2.0
Bitlocker Drive Encryption
UEFI Secure Boot
Drivers and Firmware Distributed through Windows Update

Policies

The policies in level 1 enforce a reasonable security level while minimizing the impact to users or to applications. Microsoft recommends using the rings methodology for these security configurations and controls, noting that the timeline can generally be short given the limited potential impact of the security controls.

Security Template Policies

Feature	Policy Setting	Policy Value	Description
Account Lockout	Account Lockout Duration	15	The number of minutes a locked-out account remains locked out before automatically becoming unlocked. If an account lockout threshold is defined, the account lockout duration must be greater than or equal to the reset time.
Account Lockout	Account Lockout Threshold	10	The number of failed logon attempts that causes a user account to be locked out. A locked-out account cannot be used until it is reset by an administrator or until the lockout duration for the account has expired.
Account Lockout	Reset account lockout counter after	15	The number of minutes that must elapse after a failed logon attempt before the failed logon attempt counter is reset to 0 bad logon attempts.
Password Policy	Enforce password history	24	The number of unique new passwords that must be associated with a user account before an old password can be reused.
Password Policy	Minimum password length	14	The least number of characters that a password for a user account may contain.
Password Policy	Password must meet complexity requirements	Enabled	Determines whether passwords must meet complexity requirements: 1) Not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither check is case sensitive. The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed to not be included in the password. Tokens that are less than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password. 2) Contain characters from three of the following categories: - Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters) - Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters) - Base 10 digits (0 through 9) -Non-alphanumeric characters (special characters): (~!@#$%^&*_-+=`\|\(){}[]:;"'<>,.?/) Currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting. - Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
Password Policy	Store passwords using reversible encryption	Disabled	Determines whether the operating system stores passwords using reversible encryption.
Security Options	Accounts: Limit local account use of blank passwords to console logon only	Enabled	This security setting determines whether local accounts that are not password protected can be used to log on from locations other than the physical computer console. If enabled, local accounts that are not password protected will only be able to log on at the computer's keyboard.
Security Options	Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings	Enabled	Windows Vista and later versions of Windows allow audit policy to be managed in a more precise way using audit policy subcategories. Setting audit policy at the category level will override the new subcategory audit policy feature. Group Policy only allows audit policy to be set at the category level, and existing Group Policy may override the subcategory settings of new machines as they are joined to the domain or upgraded. To allow audit policy to be managed using subcategories without requiring a change to Group Policy, there is a new registry value in Windows Vista and later versions, SCENoApplyLegacyAuditPolicy, which prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool.
Security Options	Domain member: Digitally encrypt or sign secure channel data (always)	Enabled	This security setting determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. This setting determines whether all secure channel traffic initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic initiated by the domain member must be signed or encrypted. If this policy is enabled, then the secure channel will not be established unless either signing or encryption of all secure channel traffic is negotiated. If this policy is disabled, then encryption and signing of all secure channel traffic is negotiated with the Domain Controller in which case the level of signing and encryption depends on the version of the Domain Controller and the settings of the following two policies: - Domain member: Digitally encrypt secure channel data (when possible) - Domain member: Digitally sign secure channel data (when possible)
Security Options	Domain member: Digitally encrypt secure channel data (when possible)	Enabled	This security setting determines whether a domain member attempts to negotiate encryption for all secure channel traffic that it initiates. If enabled, the domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise, only logon information transmitted over the secure channel will be encrypted. If this setting is disabled, then the domain member will not attempt to negotiate secure channel encryption.
Security Options	Domain member: Digitally sign secure channel data (when possible)	Enabled	This security setting determines whether a domain member attempts to negotiate signing for all secure channel traffic that it initiates. If enabled, the domain member will request signing of all secure channel traffic. If the Domain Controller supports signing of all secure channel traffic, then all secure channel traffic will be signed, which ensures that it cannot be tampered with in transit.
Security Options	Domain member: Disable machine account password changes	Disabled	Determines whether a domain member periodically changes its computer account password.
Security Options	Domain member: Maximum machine account password age	30	Determines how often a domain member will attempt to change its computer account password
Security Options	Domain member: require strong (Windows 2000 or later) session key	Enabled	Determines whether 128-bit key strength is required for encrypted secure channel data
Security Options	Interactive logon: Machine inactivity limit	900	The number of seconds of inactivity before the session is locked
Security Options	Interactive logon: Smart card removal behavior	Lock Workstation	This security setting determines what happens when the smart card for a logged-on user is removed from the smart card reader. If you click Lock Workstation in the Properties for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart cards with them, and still maintain protected sessions. For this setting to work beginning with Windows Vista, the Smart Card Removal Policy service must be started.
Security Options	Microsoft network client: Digitally sign communications (always)	Enabled	This security setting determines whether packet signing is required by the SMB client component.
Security Options	Microsoft network client: Send unencrypted password to third party SMB servers	Disabled	If this security setting is enabled, the Server Message Block (SMB) redirector can send plaintext passwords to non-Microsoft SMB servers that do not support password encryption during authentication. Sending unencrypted passwords is a security risk.
Security Options	Microsoft network server: Digitally sign communications (always)	Enabled	This security setting determines whether packet signing is required by the SMB server component.
Security Options	Network access: Allow anonymous SID/Name translation	Disabled	This security setting determines if an anonymous user can request security identifier (SID) attributes for another user. If this policy is enabled, a user with knowledge of an administrator's SID could contact a computer that has this policy enabled and use the SID to get the administrator's name.
Security Options	Network access: Do not allow anonymous enumeration of SAM accounts	Enabled	This security setting determines what additional permissions will be granted for anonymous connections to the computer. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. This security option allows additional restrictions to be placed on anonymous connections as follows: Enabled: Do not allow enumeration of SAM accounts. This option replaces Everyone with Authenticated Users in the security permissions for resources.
Security Options	Network access: Do not allow anonymous enumeration of SAM accounts and shares	Enabled	This security setting determines whether anonymous enumeration of SAM accounts and shares is allowed. Windows allows anonymous users to perform certain activities, such as enumerating the names of domain accounts and network shares. This is convenient, for example, when an administrator wants to grant access to users in a trusted domain that does not maintain a reciprocal trust. If you do not want to allow anonymous enumeration of SAM accounts and shares, then enable this policy.
Security Options	Network access: Restrict anonymous access to Named Pipes and Shares	Enabled	When enabled, this security setting restricts anonymous access to shares and pipes to the settings for: - Network access: Named pipes that can be accessed anonymously - Network access: Shares that can be accessed anonymously
Security Options	Network access: Restrict clients allowed to make remote calls to SAM	O:BAG:BAD:(A;;RC;;;BA)	This policy setting allows you to restrict remote RPC connections to SAM. If not selected, the default security descriptor will be used.
Security Options	Network security: Allow LocalSystem NULL session fallback	Disabled	Allow NTLM to fall back to NULL session when used with LocalSystem
Security Options	Network security: Do not store LAN Manager hash value on next password change	Enabled	This security setting determines if, at the next password change, the LAN Manager (LM) hash value for the new password is stored. The LM hash is relatively weak and prone to attack, as compared with the cryptographically stronger Windows NT hash. Since the LM hash is stored on the local computer in the security database the passwords can be compromised if the security database is attacked.
Security Options	Network security: LAN Manager authentication level	Send NTLMv2 response only. Refuse LM & NTLM	This security setting determines which challenge/response authentication protocol is used for network logons. This choice affects the level of authentication protocol used by clients, the level of session security negotiated, and the level of authentication accepted by servers as follows: Send NTLMv2 response only\refuse LM & NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication).
Security Options	Network security: LDAP client signing requirements	Negotiate signing	This security setting determines the level of data signing that is requested on behalf of clients issuing LDAP BIND requests, as follows: Negotiate signing: If Transport Layer Security/Secure Sockets Layer (TLS\SSL) has not been started, the LDAP BIND request is initiated with the LDAP data signing option set in addition to the options specified by the caller. If TLS\SSL has been started, the LDAP BIND request is initiated with the options that are specified by the caller.
Security Options	Network security: Minimum session security for NTLM SSP based (including secure RPC) clients	Require NTLMv2 session security and Require 128-bit encryption	This security setting allows a client to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value.
Security Options	Network security: Minimum session security for NTLM SSP based (including secure RPC) servers	Require NTLMv2 session security and Require 128-bit encryption	This security setting allows a server to require the negotiation of 128-bit encryption and/or NTLMv2 session security. These values are dependent on the LAN Manager Authentication Level security setting value.
Security Options	System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)	Enabled	This security setting determines the strength of the default discretionary access control list (DACL) for objects. Active Directory maintains a global list of shared system resources, such as DOS device names, mutexes, and semaphores. In this way, objects can be located and shared among processes. Each type of object is created with a default DACL that specifies who can access the objects and what permissions are granted. If this policy is enabled, the default DACL is stronger, allowing users who are not administrators to read shared objects but not allowing these users to modify shared objects that they did not create.
Security Options	User Account Control: Admin approval mode for the built-in administrator	Enabled	The built-in Administrator account uses Admin Approval Mode - any operation that requires elevation of privilege will prompt to user to approve that operation
Security Options	User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode	Prompt for consent on the secure desktop	When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
Security Options	User Account Control: Detect application installations and prompt for elevation	Enabled	When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
Security Options	User Account Control: Only elevate UIAccess applications that are installed in secure locations	Enabled	This policy setting controls whether applications that request to run with a User Interface Accessibility (UIAccess) integrity level must reside in a secure location in the file system. Secure locations are limited to the following: - …\Program Files\, including subfolders - …\Windows\system32\ - …\Program Files (x86)\, including subfolders for 64-bit versions of Windows
Security Options	User Account Control: Run all Administrators in admin approval mode	Enabled	This policy must be enabled, and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
Security Options	User Account Control: Virtualize file and registry write failures to per-user locations	Enabled	This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.
User Rights Assignments	Access Credential Manager as a trusted caller	No One (blank)	This setting is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users saved credentials might be compromised if this privilege is given to other entities.
User Rights Assignment	Access this computer from the network	Administrators; Remote Desktop Users	This user right determines which users and groups can connect to the computer over the network. Remote Desktop Services are not affected by this user right.
User Rights Assignments	Act as part of the operating system	No One (blank)	This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.
User Rights Assignments	Allow log on locally	Administrators; Users	Determines which users can log on to the computer
User Rights Assignments	Back up files and directories	Administrators	Determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system
User Rights Assignments	Create a pagefile	Administrators	Determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file
User Rights Assignments	Create a token object	No One (blank)	Determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token.
User Rights Assignments	Create global objects	Administrators; LOCAL SERVICE; NETWORK SERVICE; SERVICE	This security setting determines whether users can create global objects that are available to all sessions.
User Rights Assignments	Create permanent shared objects	No One (blank)	Determines which accounts can be used by processes to create a directory object using the object manager
User Rights Assignments	Debug programs	Administrators	Determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components.
User Rights Assignment	Enable computer and user accounts to be trusted for delegation	No One (blank)	This security setting determines which users can set the Trusted for Delegation setting on a user or computer object.
User Rights Assignments	Force shutdown from a remote system	Administrators	Determines which users can shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service.
User Rights Assignment	Impersonate a client after authentication	Administrators, SERVICE, Local Service, Network Service	Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels.
User Rights Assignments	Load and unload device drivers	Administrators	Determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.
User Rights Assignment	Lock pages in memory	No One (blank)	Determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random-access memory (RAM).
User Rights Assignments	Manage auditing and security log	Administrators	Determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
User Rights Assignments	Modify firmware environment variables	Administrators	Determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.
User Rights Assignment	Perform volume maintenance tasks	Administrators	This security setting determines which users and groups can run maintenance tasks on a volume, such as remote defragmentation.
User Rights Assignment	Profile single process	Administrators	This security setting determines which users can use performance monitoring tools to monitor the performance of non-system processes.
User Rights Assignments	Restore files and directories	Administrators	Determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object
User Rights Assignments	Take ownership of files or other objects	Administrators	Determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads

Advanced Audit Policies

Feature	Policy Setting	Policy Value	Description
Account Logon	Audit Credential Validation	Success and Failure	Audit events generated by validation tests on user account logon credentials. Occurs only on the computer that is authoritative for those credentials.
Account Management	Audit Security Group Management	Success	Audit events generated by changes to security groups, such as creating, changing or deleting security groups, adding or removing members, or changing group type.
Account Management	Audit User Account Management	Success and Failure	Audit changes to user accounts. Events include creating, changing, deleting user accounts; renaming, disabling, enabling, locking out, or unlocking accounts; setting or changing a user account’s password; adding a security identifier (SID) to the SID History of a user account; configuring the Directory Services Restore Mode password; changing permissions on administrative user accounts; backing up or restoring Credential Manager credentials
Detailed Tracking	Audit PNP Activity	Success	Audit when plug and play detects an external device
Detailed Tracking	Audit Process Creation	Success	Audit events generated when a process is created or starts; the name of the application or user that created the process is also audited
Logon/ Logoff	Audit Account Lockout	Failure	Audit events generated by a failed attempt to log on to an account that is locked out
Logon/ Logoff	Audit Group Membership	Success	Audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
Logon/ Logoff	Audit Logon	Success and Failure	Audit events generated by user account logon attempts on the computer
Logon/ Logoff	Audit Other Logon / Logoff Events	Success and Failure	Audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting, such as Terminal Services session disconnections, new Terminal Services sessions locking and unlocking a workstation, invoking or dismissing a screen saver, detection of a Kerberos replay attack, or access to a wireless network granted to a user or computer account
Logon/ Logoff	Audit Special Logon	Success	Audit events generated by special logons such as the use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level, or a logon by a member of a Special Group (Special Groups enable you to audit events generated when a member of a certain group has logged on to your network)
Object Access	Audit Detailed File Share	Failure	Audit attempts to access files and folders on a shared folder; the Detailed File Share setting logs an event every time a file or folder is accessed
Object Access	Audit File Share	Success and Failure	Audit attempts to access a shared folder; an audit event is generated when an attempt is made to access a shared folder
Object Access	Audit Other Object Access Events	Success and Failure	Audit events generated by the management of task scheduler jobs or COM+ objects
Object Access	Audit Removable Storage	Success and Failure	Audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested.
Policy Change	Audit Audit Policy Change	Success	Audit changes in the security audit policy settings
Policy Change	Audit Authentication Policy Change	Success	Audit events generated by changes to the authentication policy
Policy Change	Audit MPSSVC Rule-Level Policy Change	Success and Failure	Audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall.
Policy Change	Audit Other Policy Change Events	Failure	Audit events generated by other security policy changes that are not audited in the policy change category, such as Trusted Platform Module (TPM) configuration changes, kernel-mode cryptographic self tests, cryptographic provider operations, cryptographic context operations or modifications, applied Central Access Policies (CAPs) changes, or boot Configuration Data (BCD) modifications
Privilege Use	Audit Sensitive Privilege Use	Success and Failure	Audit events generated when sensitive privileges (user rights) are used
System	Audit Other System Events	Success and Failure	Audit any of the following events: Startup and shutdown of the Windows Firewall service and driver, security policy processing by the Windows Firewall Service, cryptography key file and migration operations.
System	Audit Security State Change	Success	Audit events generated by changes in the security state of the computer such as startup and shutdown of the computer, change of system time, recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured.
System	Audit Security System Extension	Success	Audit events related to security system extensions or services
System	Audit System Integrity	Success and Failure	Audit events that violate the integrity of the security subsystem

Windows Defender Firewall Policies

Feature	Policy Setting	Policy Value	Description
Domain Profile / State	Firewall State	On	Enables the firewall when connected to the domain profile
Domain Profile / State	Inbound Connections	Block	Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the domain profile
Domain Profile / State	Outbound Connections	Allow	Outbound connections for which there is no rule blocking the connection will be allowed in the domain profile
Domain Profile / Settings	Display a notification	No	The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the domain profile
Domain Profile / Logging	Size Limit	16384	Sets the firewall log file size for a domain connection
Domain Profile / Logging	Log dropped packets	Yes	Enables logging of dropped packets for a domain connection
Domain Profile / Logging	Log successful connections	Yes	Enables logging of successful connections for a domain connection
Private Profile / State	Firewall State	On	Enables the firewall when connected to the private profile
Private Profile / State	Inbound Connections	Block	Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the private profile
Private Profile / State	Outbound Connections	Allow	Outbound connections for which there is no rule blocking the connection will be allowed in the private profile
Private Profile / Settings	Display a notification	No	The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the private profile
Private Profile / Logging	Size Limit	16384	Sets the firewall log file size for a private connection
Private Profile / Logging	Log dropped packets	Yes	Enables logging of dropped packets for a private connection
Private Profile / Logging	Log successful connections	Yes	Enables logging of successful connections for a private connection
Public Profile / State	Firewall State	On	Enables the firewall when connected to the public profile
Public Profile / State	Inbound Connections	Block	Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the public profile
Public Profile / State	Outbound Connections	Allow	Outbound connections for which there is no rule blocking the connection will be allowed in the public profile
Public Profile / Settings	Display a notification	No	The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the public profile
Public Profile / Settings	Apply local firewall rules	No	Users cannot create new firewall rules
Public Profile / Settings	Apply local connection security rules	No	Ensures local connection rules will not be merged with Group Policy settings in the domain
Public Profile / Logging	Size Limit	16384	Sets the firewall log file size for a public connection
Public Profile / Logging	Log dropped packets	Yes	Enables logging of dropped packets for a public connection
Public Profile / Logging	Log successful connections	Yes	Enables logging of successful connections for a public connection

Computer Policies

Feature	Policy Setting	Policy Value	Description
LAPS	Enable local admin password management	Enabled	Activates LAPS for the device
MS Security Guide	Apply UAC restrictions to local accounts on network logon	Enabled	Filters the user account token for built-in administrator accounts for network logons
MS Security Guide	Configure SMB v1 client driver	Disable driver (recommended)	Configure the startup mode for the kernel mode driver that implements client-side SMBv1 processing (MrxSmb10). This setting includes a dropdown that is activated when the Enabled radio button is selected and that controls the “Start” registry value in HKLM\SYSTEM\CurrentControlSet\Services\MrxSmb10.
MS Security Guide	Configure SMB v1 server	Disabled	Disable or enable server-side processing of the SMBv1 protocol
MS Security Guide	Enabled Structured Exception Handling Overwrite Protection (SEHOP)	Enabled	This feature is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. This protection mechanism is provided at run-time. Therefore, it helps protect applications regardless of whether they have been compiled with the latest improvements, such as the /SAFESEH option. We recommend that Windows users who are running any of the above operating systems enable this feature to improve the security profile of their systems.
MS Security Guide	NetBT NodeType Configuration	P-node (recommended)	The NetBT NodeType setting determines what methods NetBT uses to register and resolve names: - A B-node computer uses broadcasts. - A P-node computer uses only point-to-point name queries to a name server (WINS). - An M-node computer broadcasts first, and then queries the name server. - An H-node computer queries the name server first, and then broadcasts. Resolution through LMHOSTS or DNS follows these methods. If the NodeType value is present, it overrides any DhcpNodeType value. If neither NodeType nor DhcpNodeType is present, the computer uses B-node if there are no WINS servers configured for the network, or H-node if there is at least one WINS server configured.
MS Security Guide	WDigest Authentication	Disabled	When the WDigest Authentication protocol is enabled, plain text passwords are stored in the Local Security Authority Subsystem Service (LSASS) exposing them to theft. WDigest is disabled by default in Windows 10. This setting ensures this is enforced.
MSS	MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (Protects against packet spoofing)	Highest Protection, source routing is completely disabled	Allowing source routed network traffic allows attackers to obscure their identity and location.
MSS	MSS: (DisableIPSourceRouting) IP source routing protection level (Protects against packet spoofing)	Highest Protection, source routing is completely disabled	Allowing source routed network traffic allows attackers to obscure their identity and location.
MSS	MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes	Disabled	Allowing ICMP redirect of routes can lead to traffic not being routed properly. When disabled, this forces ICMP to be routed via shortest path first.
MSS	MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers	Enabled	Prevents a denial-of-service (DoS) attack against a WINS server. The DoS consists of sending a NetBIOS Name Release Request to the server for each entry in the server's cache, causing a response delay in the normal operation of the server's WINS resolution capability.
Network / DNS Client	Turn off multicast name resolution	Enabled	Specifies that link local multicast name resolution (LLMNR) is disabled on client computers. LLMNR is a secondary name resolution protocol. With LLMNR, queries are sent using multicast over a local network link on a single subnet from a client computer to another client computer on the same subnet that also has LLMNR enabled. LLMNR does not require a DNS server or DNS client configuration, and provides name resolution in scenarios in which conventional DNS name resolution is not possible. If you enable this policy setting, LLMNR will be disabled on all available network adapters on the client computer. If you disable this policy setting, or you do not configure this policy setting, LLMNR will be enabled on all available network adapters.
Network / Lanman Workstation	Enable insecure guest logons	Disabled	Determines if the SMB client will allow insecure guest logons to an SMB server
Network / Network Connections	Prohibit use of Internet Connection Sharing on your DNS domain network	Enabled	Determines whether administrators can enable and configure the Internet Connection Sharing (ICS) feature of an Internet connection and if the ICS service can run on the computer.
Network / Network Provider	Hardened UNC Paths	\\\SYSVOL and \\\NETLOGON RequireMutualAuthentication = 1, RequireIntegrity = 1	This policy setting configures secure access to UNC paths. If you enable this policy, Windows only allows access to the specified UNC paths after fulfilling additional security requirements.
Network / Windows Connection Manager	Prohibit connection to non-domain networks when connected to domain authenticated network	Enabled	This policy setting prevents computers from connecting to both a domain-based network and a non-domain-based network at the same time.
System / Credentials Delegation	Encryption Oracle Remediation	Force Updated Clients	Enryption Oracle Remediation
System / Credentials Delegation	Remote host allows delegation of non-exportable credentials	Enabled	When using credential delegation, devices provide an exportable version of credentials to the remote host. This exposes users to the risk of credential theft from attackers on the remote host. If you enable this policy setting, the host supports Restricted Admin or Remote Credential Guard mode.
System / Device Installation / Device Installation Restrictions	Prevent installation of devices that match any of these device IDs	[[[main setting]]] = Enabled Also apply to matching devices that are already installed = True 1 = PCI\CC_0C0A	This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. if you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in a list that you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.
System / Device Installation / Device Installation Restrictions	Prevent installation of devices using drivers that match these device setup classes	[[[main setting]]] = Enabled Also apply to matching devices that are already installed = True 1 = {d48179be-ec20-11d1-b6b8-00c04fa372a7}	This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device. if you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server. If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.
System / Early Launch Antimalware	Boot-Start Driver Initialization Policy	Good, unknown and bad but critical	Allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver: - Good: The driver has been signed and has not been tampered with. - Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized. - Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver. - Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver. If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started. If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped. If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized.
System / Group Policy	Configure registry policy processing	Process even if the Group Policy objects have not changed = True Do not apply during periodic background processing = False	Determines when registry policies are updated. This policy setting affects all policies in the Administrative Templates folder and any other policies that store values in the registry. It overrides customized settings that the program implementing a registry policy set when it was installed. If you enable this policy setting, you can use the check boxes provided to change the options. If you disable or do not configure this policy setting, it has no effect on the system. The "Do not apply during periodic background processing" option prevents the system from updating affected policies in the background while the computer is in use. When background updates are disabled, policy changes will not take effect until the next user logon or system restart. The "Process even if the Group Policy objects have not changed" option updates and reapplies the policies even if the policies have not changed. Many policy implementations specify that they are updated only when changed. However, you might want to update unchanged policies, such as reapplying a desired policy setting in case a user has changed it.
System / Internet Communication Management / Internet Communication settings	Turn off Internet download for Web publishing and online ordering wizards	Enabled	This policy setting specifies whether Windows should download a list of providers for the web publishing and online ordering wizards. These wizards allow users to select from a list of companies that provide services such as online storage and photographic printing. By default, Windows displays providers downloaded from a Windows website in addition to providers specified in the registry.
System / Kernel DMA Protection	Enumeration policy for external devices incompatible with Kernel DMA Protection	Block all	Enumeration policy for external DMA-capable devices incompatible with DMA remapping. This policy only takes effect when Kernel DMA Protection is enabled and supported by the system. Note: this policy does not apply to 1394, PCMCIA or ExpressCard devices.
System / Power Management / Sleep Settings	Require a password when a computer wakes (on battery)	Enabled	Specifies whether the user is prompted for a password when the system resumes from sleep
System / Power Management / Sleep Settings	Require a password when a computer wakes (plugged in)	Enabled	Specifies whether the user is prompted for a password when the system resumes from sleep
System / Remote Procedure Call	Restrict Unauthenticated RPC clients	Authenticated	Controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.
System / Service Control Manager Settings / Security Settings	Enable svchost.exe mitigation options	Enabled	Enables process mitigation options on svchost.exe processes. If you enable this policy setting, built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them. This includes a policy requiring all binaries loaded in these processes to be signed by microsoft, as well as a policy disallowing dynamically-generated code. If you disable or do not configure this policy setting, these stricter security settings will not be applied.
Windows Components / App runtime	Allow Microsoft accounts to be optional	Enabled	Lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it.
Windows Components / AutoPlay Policies	Disallow Autoplay for non-volume devices	Enabled	Disallows AutoPlay for MTP devices like cameras or phones.
Windows Components / AutoPlay Policies	Set the default behavior for AutoRun	Do not execute any autorun commands	Sets the default behavior for Autorun commands.
Windows Components / AutoPlay Policies	Turn off Autoplay	All Drives	Allows you to turn off the Autoplay feature.
Windows Components / Biometrics / Facial Features	Configure enhanced anti-spoofing	Enabled	Determines whether enhanced anti-spoofing is required for Windows Hello face authentication
Windows Components / BitLocker Drive Encryption	Disable new DMA devices when this computer is locked	Enabled	Allows you to block direct memory access (DMA) for all Thunderbolt hot pluggable PCI downstream ports until a user logs into Windows
Windows Components / BitLocker Drive Encryption / Operating System Drives	Allow enhanced PINs for startup	Enabled	Allows you to configure whether enhanced startup PINs are used with BitLocker
Windows Components / Event Log Service / Application	Specify the maximum log file size (KB)	32768	Specifies the maximum size of the log file in kilobytes.
Windows Components / Event Log Service / Security	Specify the maximum log file size (KB)	196608	Specifies the maximum size of the log file in kilobytes.
Windows Components / Event Log Service / System	Specify the maximum log file size (KB)	Enabled: 32768	Specifies the maximum size of the log file in kilobytes.
Windows Components / File Explorer	Configure Windows Defender SmartScreen	[[[main setting]]] = Enabled Pick one of the following settings = Warn and prevent bypass	Configure whether to turn on Windows Defender SmartScreen to provide warning messages to help protect your employees from potential phishing scams and malicious software
Windows Components / Internet Explorer	Prevent managing SmartScreen Filter	On	Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware.
Windows Components / Internet Explorer	Specify use of ActiveX Installer Service for installation of ActiveX controls	Enabled	This policy setting allows you to specify how ActiveX controls are installed. If you enable this policy setting, ActiveX controls are installed only if the ActiveX Installer Service is present and has been configured to allow the installation of ActiveX controls. If you disable or do not configure this policy setting, ActiveX controls, including per-user controls, are installed through the standard installation process.
Windows Components / Internet Explorer	Turn off the Security Settings Check feature	Disabled	This policy setting turns off the Security Settings Check feature, which checks Internet Explorer security settings to determine when the settings put Internet Explorer at risk. If you enable this policy setting, the feature is turned off. If you disable or do not configure this policy setting, the feature is turned on.
Windows Components / Internet Explorer / Internet Control Panel	Prevent ignoring certificate errors	Enabled	This policy setting prevents the user from ignoring Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificate errors that interrupt browsing (such as "expired", "revoked", or "name mismatch" errors) in Internet Explorer.
Windows Components / Internet Explorer / Internet Control Panel / Advanced Page	Allow software to run or install even if the signature is invalid	Disabled	This policy setting allows you to manage whether software, such as ActiveX controls and file downloads, can be installed or run by the user even though the signature is invalid. An invalid signature might indicate that someone has tampered with the file.
Windows Components / Internet Explorer / Internet Control Panel / Advanced Page	Check for server certificate revocation	Enabled	Allows you to manage whether Internet Explorer will check revocation status of servers' certificates
Windows Components / Internet Explorer / Internet Control Panel / Advanced Page	Check for signatures on downloaded programs	Enabled	This policy setting allows you to manage whether Internet Explorer checks for digital signatures (which identifies the publisher of signed software and verifies it hasn't been modified or tampered with) on user computers before downloading executable programs.
Windows Components / Internet Explorer / Internet Control Panel / Advanced Page	Turn off encryption support	Use TLS 1.1 and TLS 1.2	This policy setting allows you to turn off support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, or SSL 3.0 in the browser. TLS and SSL are protocols that help protect communication between the browser and the target server. When the browser attempts to set up a protected communication with the target server, the browser and server negotiate which protocol and version to use. The browser and server attempt to match each other’s list of supported protocols and versions, and they select the most preferred match.
Windows Components / Internet Explorer / Internet Control Panel / Security Page	Turn on certificate address mismatch warning	Enabled	This policy setting allows you to turn on the certificate address mismatch security warning. When this policy setting is turned on, the user is warned when visiting Secure HTTP (HTTPS) websites that present certificates issued for a different website address. This warning helps prevent spoofing attacks.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Access data sources across domains	Disable	This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Allow cut copy or paste operations from the clipboard via script	Disable	This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Allow drag and drop or copy and paste files	Disable	This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Allow loading of XAML files	Disable	This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Allow only approved domains to use ActiveX controls without prompt	Enable	This policy setting controls whether the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Allow only approved domains to use the TDC ActiveX control	Enable	This policy setting controls whether the user can run the TDC ActiveX control on websites.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Allow scripting of Internet Explorer WebBrowser controls	Disable	This policy setting determines whether a page can control embedded WebBrowser controls via script.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Allow script-initiated windows without size or position constraints	Disable	This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Allow scriptlets	Disable	This policy setting allows you to manage whether the user can run scriptlets.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Allow updates to status bar via script	Disable	This policy setting allows you to manage whether script can update the status bar within the zone.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Allow VBScript to run in Internet Explorer	Disable	This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Automatic prompting for file downloads	Disable	This policy setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Don't run antimalware programs against ActiveX controls	Disable	Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Download unsigned ActiveX controls	Disable	This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Enable dragging of content from different domains across windows	Disable	This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Enable dragging of content from different domains within a window	Disable	This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Include local path when user is uploading files to a server	Disable	This policy setting controls whether local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Initialize and script ActiveX controls not marked as safe	Disable	This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Java permissions	Disable Java	This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Launching applications and files in an IFRAME	Disable	This policy setting allows you to manage whether applications may be run, and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Logon options	Prompt for user name and password	This policy setting allows you to manage settings for logon options. Prompt for user name and password to query users for user IDs and passwords. After a user is queried, these values can be used silently for the remainder of the session.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Navigate windows and frames across different domains	Disable	This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Run .NET Framework-reliant components not signed with Authenticode	Disable	This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Run .NET Framework-reliant components signed with Authenticode	Enabled: Disable	This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Show security warning for potentially unsafe files	Prompt	This policy setting controls whether the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example).
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Turn on Cross-Site Scripting Filter	Enabled: Enable	Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Turn on Protected Mode	Enable	Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Turn on SmartScreen Filter scan	Enable	Controls whether SmartScreen Filter scans pages in this zone for malicious content.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Use Pop-up Blocker	Enabled: Enable	Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Userdata persistence	Disable	This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone	Web sites in less privileged Web content zones can navigate into this zone	Disable	This policy setting allows you to manage whether Web sites from less privileged zones, such as Restricted Sites, can navigate into this zone.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone	Don't run antimalware programs against ActiveX controls	Enabled: Disable	Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone	Initialize and script ActiveX controls not marked as safe	Enabled: Disable	This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone	Java permissions	Enabled: High Safety	Allows you to manage permissions for Java applets. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Local Machine Zone	Don't run antimalware programs against ActiveX controls	Disable	Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Local Machine Zone	Java permissions	Disable Java	This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-down Internet Zone	Turn on SmartScreen Filter scan	Enable	Controls whether SmartScreen Filter scans pages in this zone for malicious content.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Intranet Zone	Java permissions	Disable Java	This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Local Machine Zone	Java permissions	Disable Java	This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone	Java permissions	Disable Java	This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone	Turn on SmartScreen Filter scan	Enabled: Enable	Controls whether SmartScreen Filter scans pages in this zone for malicious content.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Trusted Sites Zone	Java permissions	Disable Java	Allows you to configure policy settings according to the default for the selected security level, such Low, Medium, or High.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Access data sources across domains	Enabled: Disable	This policy setting allows you to manage whether Internet Explorer can access data from another security zone using the Microsoft XML Parser (MSXML) or ActiveX Data Objects (ADO).
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Allow active scripting	Disable	This policy setting allows you to manage whether script code on pages in the zone is run.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Allow binary and script behaviors	Disable	This policy setting allows you to manage dynamic binary and script behaviors: components that encapsulate specific functionality for HTML elements to which they were attached.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Allow cut copy or paste operations from the clipboard via script	Enabled: Disable	This policy setting allows you to manage whether scripts can perform a clipboard operation (for example, cut, copy, and paste) in a specified region.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Allow drag and drop or copy and paste files	Disable	This policy setting allows you to manage whether users can drag files or copy and paste files from a source within the zone.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Allow file downloads	Disable	This policy setting allows you to manage whether file downloads are permitted from the zone. This option is determined by the zone of the page with the link causing the download, not the zone from which the file is delivered.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Allow loading of XAML files	Disable	This policy setting allows you to manage the loading of Extensible Application Markup Language (XAML) files. XAML is an XML-based declarative markup language commonly used for creating rich user interfaces and graphics that take advantage of the Windows Presentation Foundation.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Allow META REFRESH	Disable	This policy setting allows you to manage whether a user's browser can be redirected to another Web page if the author of the Web page uses the Meta Refresh setting (tag) to redirect browsers to another Web page.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Allow only approved domains to use ActiveX controls without prompt	Enable	This policy setting controls whether the user is prompted to allow ActiveX controls to run on websites other than the website that installed the ActiveX control.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Allow only approved domains to use the TDC ActiveX control	Enable	This policy setting controls whether the user can run the TDC ActiveX control on websites.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Allow scripting of Internet Explorer WebBrowser controls	Disable	This policy setting determines whether a page can control embedded WebBrowser controls via script.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Allow script-initiated windows without size or position constraints	Enabled: Disable	This policy setting allows you to manage restrictions on script-initiated pop-up windows and windows that include the title and status bars.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Allow scriptlets	Disable	This policy setting allows you to manage whether the user can run scriptlets.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Allow updates to status bar via script	Disable	This policy setting allows you to manage whether script can update the status bar within the zone.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Allow VBScript to run in Internet Explorer	Disable	This policy setting allows you to manage whether VBScript can be run on pages from the specified zone in Internet Explorer.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Automatic prompting for file downloads	Disable	This policy setting determines whether users will be prompted for non-user-initiated file downloads. Regardless of this setting, users will receive file download dialogs for user-initiated downloads.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Don't run antimalware programs against ActiveX controls	Disable	Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Download signed ActiveX controls	Disable	This policy setting allows you to manage whether users may download signed ActiveX controls from a page in the zone
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Download unsigned ActiveX controls	Disable	This policy setting allows you to manage whether users may download unsigned ActiveX controls from the zone. Such code is potentially harmful, especially when coming from an untrusted zone.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Enable dragging of content from different domains across windows	Disable	This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in different windows.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Enable dragging of content from different domains within a window	Disable	This policy setting allows you to set options for dragging content from one domain to a different domain when the source and destination are in the same window.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Include local path when user is uploading files to a server	Disable	This policy setting controls whether local path information is sent when the user is uploading a file via an HTML form. If the local path information is sent, some information may be unintentionally revealed to the server. For instance, files sent from the user's desktop may contain the user name as a part of the path.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Initialize and script ActiveX controls not marked as safe	Disable	This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Java permissions	Disable Java	This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. Disable Java to prevent any applets from running.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Launching applications and files in an IFRAME	Disable	This policy setting allows you to manage whether applications may be run, and files may be downloaded from an IFRAME reference in the HTML of the pages in this zone.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Logon options	Anonymous logon	This policy setting allows you to manage settings for logon options. Anonymous logon to disable HTTP authentication and use the guest account only for the Common Internet File System (CIFS) protocol.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Navigate windows and frames across different domains	Enabled: Disable	This policy setting allows you to manage the opening of windows and frames and access of applications across different domains.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Run .NET Framework-reliant components not signed with Authenticode	Disable	This policy setting allows you to manage whether .NET Framework components that are not signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Run .NET Framework-reliant components signed with Authenticode	Enabled: Disable	This policy setting allows you to manage whether .NET Framework components that are signed with Authenticode can be executed from Internet Explorer. These components include managed controls referenced from an object tag and managed executables referenced from a link.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Run ActiveX controls and plugins	Enabled: Disable	This policy setting allows you to manage whether ActiveX controls and plug-ins can be run on pages from the specified zone.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Script ActiveX controls marked safe for scripting	Disable	This policy setting allows you to manage whether an ActiveX control marked safe for scripting can interact with a script.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Scripting of Java applets	Disable	This policy setting allows you to manage whether applets are exposed to scripts within the zone.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Show security warning for potentially unsafe files	Disable	This policy setting controls whether the "Open File - Security Warning" message appears when the user tries to open executable files or other potentially unsafe files (from an intranet file share by using File Explorer, for example). If you disable this policy setting, these files do not open.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Turn on Cross-Site Scripting Filter	Enable	Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Turn on Protected Mode	Enable	Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Turn on SmartScreen Filter scan	Enabled: Enable	Controls whether SmartScreen Filter scans pages in this zone for malicious content.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Use Pop-up Blocker	Enable	Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Userdata persistence	Disable	This policy setting allows you to manage the preservation of information in the browser's history, in favorites, in an XML store, or directly within a Web page saved to disk. When a user returns to a persisted page, the state of the page can be restored if this policy setting is appropriately configured.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone	Web sites in less privileged Web content zones can navigate into this zone	Disable	This policy setting allows you to manage whether Web sites from less privileged zones, such as Internet sites, can navigate into this zone.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone	Don't run antimalware programs against ActiveX controls	Disable	Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone	Initialize and script ActiveX controls not marked as safe	Disable	This policy setting allows you to manage ActiveX controls not marked as safe. If you enable this policy setting, ActiveX controls are run, loaded with parameters, and scripted without setting object safety for untrusted data or scripts. This setting is not recommended, except for secure and administered zones. This setting causes both unsafe and safe controls to be initialized and scripted, ignoring the Script ActiveX controls marked safe for scripting option.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone	Java permissions	High Safety	This policy setting allows you to manage permissions for Java applets. If you enable this policy setting, you can choose options from the drop-down box. Custom, to control permissions settings individually. High Safety enables applets to run in their sandbox.
Windows Components / Internet Explorer / Security Features	Allow fallback to SSL 3.0 (Internet Explorer)	No sites	Allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails.
Windows Components / Internet Explorer / Security Features / Add-on Management	Remove "Run this time" button for outdated ActiveX controls in Internet Explorer	Enabled	This policy setting allows you to stop users from seeing the "Run this time" button and from running specific outdated ActiveX controls in Internet Explorer.
Windows Components / Internet Explorer / Security Features / Add-on Management	Turn off blocking of outdated ActiveX controls for Internet Explorer	Disabled	This policy setting determines whether Internet Explorer blocks specific outdated ActiveX controls. Outdated ActiveX controls are never blocked in the Intranet Zone.
Windows Components / Internet Explorer / Security Features / Consistent Mime Handling	Internet Explorer Processes	Enabled	Internet Explorer uses Multipurpose Internet Mail Extensions (MIME) data to determine file handling procedures for files received through a Web server. This policy setting determines whether Internet Explorer requires that all file-type information provided by Web servers be consistent. For example, if the MIME type of a file is text/plain but the MIME sniff indicates that the file is really an executable file, Internet Explorer renames the file by saving it in the Internet Explorer cache and changing its extension. If you enable this policy setting, Internet Explorer requires consistent MIME data for all received files.
Windows Components / Internet Explorer / Security Features / Mime Sniffing Safety Feature	Internet Explorer Processes	Enabled	This policy setting determines whether Internet Explorer MIME sniffing will prevent promotion of a file of one type to a more dangerous file type. If you enable this policy setting, MIME sniffing will never promote a file of one type to a more dangerous file type.
Windows Components / Internet Explorer / Security Features / MK Protocol Security Restriction	Internet Explorer Processes	Enabled	The MK Protocol Security Restriction policy setting reduces attack surface area by preventing the MK protocol. Resources hosted on the MK protocol will fail. If you enable this policy setting, the MK Protocol is prevented for File Explorer and Internet Explorer, and resources hosted on the MK protocol will fail.
Windows Components / Internet Explorer / Security Features / Notification Bar	Internet Explorer Processes	Enabled	This policy setting allows you to manage whether the Notification bar is displayed for Internet Explorer processes when file or code installs are restricted. By default, the Notification bar is displayed for Internet Explorer processes. If you enable this policy setting, the Notification bar will be displayed for Internet Explorer Processes.
Windows Components / Internet Explorer / Security Features / Protection from Zone Elevation	Internet Explorer Processes	Enabled	Internet Explorer places restrictions on each Web page it opens. The restrictions are dependent upon the location of the Web page (Internet, Intranet, Local Machine zone, etc.). Web pages on the local computer have the fewest security restrictions and reside in the Local Machine zone, making the Local Machine security zone a prime target for malicious users. Zone Elevation also disables JavaScript navigation if there is no security context. If you enable this policy setting, any zone can be protected from zone elevation by Internet Explorer processes.
Windows Components / Internet Explorer / Security Features / Restrict ActiveX Install	Internet Explorer Processes	Enabled	This policy setting enables blocking of ActiveX control installation prompts for Internet Explorer processes. If you enable this policy setting, prompting for ActiveX control installations will be blocked for Internet Explorer processes.
Windows Components / Internet Explorer / Security Features / Restrict File Download	Internet Explorer Processes	Enabled	This policy setting enables blocking of file download prompts that are not user initiated. If you enable this policy setting, file download prompts that are not user initiated will be blocked for Internet Explorer processes.
Windows Components / Internet Explorer / Security Features / Scripted Window Security Restrictions	Internet Explorer Processes	Enabled	Internet Explorer allows scripts to programmatically open, resize, and reposition windows of various types. The Window Restrictions security feature restricts popup windows and prohibits scripts from displaying windows in which the title and status bars are not visible to the user or obfuscate other Windows' title and status bars. If you enable this policy setting, popup windows and other restrictions apply for File Explorer and Internet Explorer processes.
Windows Components / Microsoft Edge	Configure Windows Defender SmartScreen	Enabled	Configures whether to turn on Windows Defender SmartScreen. Windows Defender SmartScreen provides warning messages to help protect your employees from potential phishing scams and malicious software. By default, Windows Defender SmartScreen is turned on. If you enable this setting, Windows Defender SmartScreen is turned on and employees can't turn it off. If you disable this setting, Windows Defender SmartScreen is turned off and employees can't turn it on. If you don't configure this setting, employees can choose whether to use Windows Defender SmartScreen.
Windows Components / Microsoft Edge	Prevent certificate error overrides	Enabled	Web security certificates are used to ensure a site your users go to is legitimate, and in some circumstances encrypts the data. With this policy, you can specify whether to prevent users from bypassing the security warning to sites that have SSL errors. If enabled, overriding certificate errors are not allowed. If disabled or not configured, overriding certificate errors are allowed.
Windows Components / Remote Desktop Services / Remote Desktop Connection Client	Do not allow passwords to be saved	Enabled	Controls whether passwords can be saved on this computer from Remote Desktop Connection.
Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security	Always prompt for password upon connection	Enabled	This policy setting specifies whether Remote Desktop Services always prompts the client for a password upon connection. You can use this setting to enforce a password prompt for users logging on to Remote Desktop Services, even if they already provided the password in the Remote Desktop Connection client.
Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security	Require secure RPC communication	Enabled	Specifies whether a Remote Desktop Session Host server requires secure RPC communication with all clients or allows unsecured communication.
Windows Components / Remote Desktop Services / Remote Desktop Session Host / Security	Set client connection encryption level	High Level	Specifies whether to require the use of a specific encryption level to secure communications between client computers and RD Session Host servers during Remote Desktop Protocol (RDP) connections. This policy only applies when you are using native RDP encryption. However, native RDP encryption (as opposed to SSL encryption) is not recommended. This policy does not apply to SSL encryption.
Windows Components / RSS Feeds	Prevent downloading of enclosures	Enabled	This policy setting prevents the user from having enclosures (file attachments) downloaded from a feed to the user's computer. if you enable this policy setting, the user cannot set the Feed Sync Engine to download an enclosure through the Feed property page. A developer cannot change the download setting through the Feed APIs. If you disable or do not configure this policy setting, the user can set the Feed Sync Engine to download an enclosure through the Feed property page. A developer can change the download setting through the Feed APIs.
Windows Components / Search	Allow indexing of encrypted files	Disabled	This policy setting allows encrypted items to be indexed. if you enable this policy setting, indexing will attempt to decrypt and index the content (access restrictions will still apply). If you disable this policy setting the search service components (including non-Microsoft components) are expected not to index encrypted items or encrypted stores. This policy setting is not configured by default. If you do not configure this policy setting the local setting configured through Control Panel will be used. By default, the Control Panel setting is set to not index encrypted content. When this setting is enabled or disabled the index is rebuilt completely. Full volume encryption (such as BitLocker Drive Encryption or a non-Microsoft solution) must be used for the location of the index to maintain security for encrypted files.
Windows Components / Windows Defender Antivirus / MAPS	Join Microsoft MAPS	Advanced MAPS	Allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections.
Windows Components / Windows Defender Antivirus	Turn off Windows Defender Antivirus	Disabled	Turns off Windows Defender Antivirus
Windows Components / Windows Defender Antivirus / MAPS	Send file samples when further analysis is required	Enabled: Send safe samples	Configures behavior of samples submission when opt-in for MAPS telemetry is set
Windows Components / Windows Defender Antivirus / Real-time Protection	Turn off real-time protection	Disabled	Turns off real-time protection prompts for known malware detection
Windows Components / Windows Defender Antivirus / Real-time Protection	Turn on behavior monitoring	Enabled	Allows you to configure behavior monitoring.
Windows Components / Windows Defender Antivirus / Scan	Scan removable drives	Enabled	Allows you to manage whether to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan.
Windows Components / Windows Defender Antivirus / Scan	Specify the interval to run quick scans per day	24	Allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day).
Windows Components / Windows Defender SmartScreen / Explorer	Configure Windows Defender SmartScreen	[[[main setting]]] = Enabled Pick one of the following settings = Warn and prevent bypass	Turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. If you enable this policy, SmartScreen will be turned on for all users. Its behavior can be controlled by the following options: - Warn and prevent bypass - Warn If you enable this policy with the "Warn and prevent bypass" option, SmartScreen's dialogs will not present the user with the option to disregard the warning and run the app. SmartScreen will continue to show the warning on subsequent attempts to run the app. If you enable this policy with the "Warn" option, SmartScreen's dialogs will warn the user that the app appears suspicious, but will permit the user to disregard the warning and run the app anyway. SmartScreen will not warn the user again for that app if the user tells SmartScreen to run the app. If you disable this policy, SmartScreen will be turned off for all users. Users will not be warned if they try to run suspicious apps from the Internet. If you do not configure this policy, SmartScreen will be enabled by default, but users may change their settings.
Windows Components / Windows Defender SmartScreen / Microsoft Edge	Configure Windows Defender SmartScreen	Enabled	Turn Windows Defender SmartScreen on or off. SmartScreen helps protect PCs by warning users before running potentially malicious programs downloaded from the Internet. This warning is presented as an interstitial dialog shown before running an app that has been downloaded from the Internet and is unrecognized or known to be malicious. No dialog is shown for apps that do not appear to be suspicious. Some information is sent to Microsoft about files and programs run on PCs with this feature enabled. If you enable this policy, SmartScreen will be turned on for all users.
Windows Components / Windows Ink Workspace	Allow Windows Ink Workspace	On, but disallow access above lock	Allow Windows Ink Workspace
Windows Components / Windows Installer	Allow user control over installs	Disabled	Permits users to change installation options that typically are available only to system administrators
Windows Components / Windows Installer	Always install with elevated privileges	Disabled	Directs Windows Installer to use elevated permissions when it installs any program on the system
Windows Components / Windows Logon Options	Sign-in last interactive user automatically after a system-initiated restart	Disabled	Controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system
Windows Components / Windows PowerShell	Turn on PowerShell Script Block Logging	Enabled	This policy setting enables logging of all PowerShell script input to the Microsoft-Windows-PowerShell/Operational event log.
Windows Components / Windows Remote Management (WinRM) / WinRM Client	Allow Basic authentication	Disabled	This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Basic authentication.
Windows Components / Windows Remote Management (WinRM) / WinRM Client	Allow unencrypted traffic	Disabled	Manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network
Windows Components / Windows Remote Management (WinRM) / WinRM Client	Disallow Digest authentication	Enabled	This policy setting allows you to manage whether the Windows Remote Management (WinRM) client uses Digest authentication.
Windows Components / Windows Remote Management (WinRM) / WinRM Service	Allow Basic authentication	Disabled	This policy setting allows you to manage whether the Windows Remote Management (WinRM) service accepts Basic authentication from a remote client.
Windows Components / Windows Remote Management (WinRM) / WinRM Service	Allow unencrypted traffic	Disabled	Manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network.
Windows Components / Windows Remote Management (WinRM) / WinRM Service	Disallow WinRM from storing RunAs credentials	Enabled	This policy setting allows you to manage whether the Windows Remote Management (WinRM) service will not allow RunAs credentials to be stored for any plug-ins.

Controls

The controls enabled in level 1 enforce a reasonable security level while minimizing the impact to users and applications.

Feature	Config	Description
Local Admin Password Solution (LAPS)	Deployed to all devices	Generates a unique local admin password to devices, mitigating many lateral traversal attacks.
Windows Defender ATP EDR	Deployed to all devices	The Windows Defender ATP endpoint detection and response (EDR) provides actionable and near real-time detection of advanced attacks. EDR helps security analysts , and aggregates alerts with the same attack techniques or attributed to the same attacker into an entity called an incident. An incident helps analysts prioritize alerts, collectively investigate the full scope of a breach, and respond to threats. Windows Defender ATP EDR is not expected to impact users or applications, and it can be deployed to all devices in a single step.
Windows Defender Credential Guard	Enabled for all compatible hardware	Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. There is a small risk to application compatibility, as applications will break if they require NTLMv1, Kerberos DES encryption, Kerberos unconstrained delegation, or extracting the Keberos TGT. As such, Microsoft recommends deploying Credential Guard using the rings methodology.
Microsoft Edge	Default browser	Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using the rings methodology.
Windows Defender Application Guard	Enabled on compatible hardware	Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using the rings methodology.
Network protection	Configure and enforce Network Protection	Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. It expands the scope of Windows Defender SmartScreen to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname). There is a risk to application compatibility, as a result of false positives in flagged sites. Microsoft recommends deploying using the Audit / Enforce Methodology.

Behaviors

The behaviors recommended in level 1 enforce a reasonable security level while minimizing the impact to users or to applications.

Feature	Config	Description
OS security updates	Deploy Windows Quality Updates within 7 days of release	As the time between the release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, a critical aspect of security hygiene is having an engineering process that quickly validates and deploys Quality Updates that address security vulnerabilities.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

level-1-enterprise-basic-security.md

level-1-enterprise-basic-security.md

Level 1 Enterprise Basic Security configuration

Hardware

Policies

Security Template Policies

Advanced Audit Policies

Windows Defender Firewall Policies

Computer Policies

Controls

Behaviors

Files

level-1-enterprise-basic-security.md

Latest commit

History

level-1-enterprise-basic-security.md

File metadata and controls

Level 1 Enterprise Basic Security configuration

Hardware

Policies

Security Template Policies

Advanced Audit Policies

Windows Defender Firewall Policies

Computer Policies

Controls

Behaviors