Level 5 enterprise security configuration

Applies to

  • Windows 10

Level 5 is the minimum security configuration for an enterprise device. Microsoft recommends the following configuration for level 5 devices.

Policies

The policies in level 5 enforce a reasonable security level while minimizing the impact to users or to applications. Microsoft recommends using the rings methodology for these security configurations and controls, noting that the timeline can generally be short given the limited potential impact of the security controls.

Security Template Policies

Feature Policy Setting Policy Value Description
Password Policy Enforce password history 24 The number of unique new passwords that must be associated with a user account before an old password can be reused.
Password Policy Minimum password length 14 The least number of characters that a password for a user account may contain.
Password Policy Password must meet complexity requirements Enabled Determines whether passwords must meet complexity requirements:
1) Not contain the user's samAccountName (Account Name) value or entire displayName (Full Name value). Neither check is case sensitive.
The samAccountName is checked in its entirety only to determine whether it is part of the password. If the samAccountName is less than three characters long, this check is skipped. The displayName is parsed for delimiters: commas, periods, dashes or hyphens, underscores, spaces, pound signs, and tabs. If any of these delimiters are found, the displayName is split and all parsed sections (tokens) are confirmed to not be included in the password. Tokens that are less than three characters are ignored, and substrings of the tokens are not checked. For example, the name "Erin M. Hagens" is split into three tokens: "Erin", "M", and "Hagens". Because the second token is only one character long, it is ignored. Therefore, this user could not have a password that included either "erin" or "hagens" as a substring anywhere in the password.
2) Contain characters from three of the following categories:
- Uppercase letters of European languages (A through Z, with diacritic marks, Greek and Cyrillic characters)
- Lowercase letters of European languages (a through z, sharp-s, with diacritic marks, Greek and Cyrillic characters)
- Base 10 digits (0 through 9)
-Non-alphanumeric characters (special characters):
(~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/)
Currency symbols such as the Euro or British Pound are not counted as special characters for this policy setting.
- Any Unicode character that is categorized as an alphabetic character but is not uppercase or lowercase. This includes Unicode characters from Asian languages.
Password Policy Store passwords using reversible encryption Disabled Determines whether the operating system stores passwords using reversible encryption.
Security Options Accounts: Guest account status Disabled Determines if the Guest account is enabled or disabled.
Security Options Domain member: Disable machine account password changes Disabled Determines whether a domain member periodically changes its computer account password.
Security Options Domain member: Maximum machine account password age 30 Determines how often a domain member will attempt to change its computer account password
Security Options Domain member: require strong (Windows 2000 or later) session key Enabled Determines whether 128-bit key strength is required for encrypted secure channel data
Security Options Interactive logon: Machine inactivity limit 900 The number of seconds of inactivity before the session is locked
Security Options User Account Control: Admin approval mode for the built-in administrator Enabled The built-in Administrator account uses Admin Approval Mode - any operation that requires elevation of privilege will prompt to user to approve that operation
Security Options User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode Prompt for consent on the secure desktop When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege.
Security Options User Account Control: Detect application installations and prompt for elevation Enabled When an application installation package is detected that requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
Security Options User Account Control: Run all Administrators in admin approval mode Enabled This policy must be enabled, and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
Security Options User Account Control: Virtualize file and registry write failures to per-user locations Enabled This policy setting controls whether application write failures are redirected to defined registry and file system locations. This policy setting mitigates applications that run as administrator and write run-time application data to %ProgramFiles%, %Windir%, %Windir%\system32, or HKLM\Software.
User Rights Assignments Access Credential Manager as a trusted caller No One (blank) This setting is used by Credential Manager during Backup/Restore. No accounts should have this privilege, as it is only assigned to Winlogon. Users saved credentials might be compromised if this privilege is given to other entities.
User Rights Assignments Act as part of the operating system No One (blank) This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.
User Rights Assignments Allow log on locally Administrators; Users Determines which users can log on to the computer
User Rights Assignments Back up files and directories Administrators Determines which users can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system
User Rights Assignments Create a pagefile Administrators Determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file
User Rights Assignments Create a token object No One (blank) Determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token.
User Rights Assignments Create global objects Administrators; LOCAL SERVICE; NETWORK SERVICE; SERVICE This security setting determines whether users can create global objects that are available to all sessions.
User Rights Assignments Create permanent shared objects No One (blank) Determines which accounts can be used by processes to create a directory object using the object manager
User Rights Assignments Create symbolic links Administrators Determines if the user can create a symbolic link from the computer he is logged on to
User Rights Assignments Debug programs Administrators Determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components.
User Rights Assignments Deny access to this computer from the network Guests; NT AUTHORITY\Local Account Determines which users are prevented from accessing a computer over the network. This policy setting supersedes the Access this computer from the network policy setting if a user account is subject to both policies.
User Rights Assignments Deny log on locally Guests Determines which users are prevented from logging on at the computer. This policy setting supersedes the Allow log on locally policy setting if an account is subject to both policies.
User Rights Assignments Deny log on through Remote Desktop Services Guests; NT AUTHORITY\Local Account Determines which users and groups are prohibited from logging on as a Remote Desktop Services client
User Rights Assignments Force shutdown from a remote system Administrators Determines which users can shut down a computer from a remote location on the network. Misuse of this user right can result in a denial of service.
User Rights Assignments Increase scheduling priority Administrators Determines which accounts can use a process with Write Property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface.
User Rights Assignments Load and unload device drivers Administrators Determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers.
User Rights Assignments Manage auditing and security log Administrators Determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.
User Rights Assignments Modify firmware environment variables Administrators Determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.
User Rights Assignments Restore files and directories Administrators Determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object
User Rights Assignments Take ownership of files or other objects Administrators Determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads

Advanced Audit Policies

Feature Policy Setting Policy Value Description
Account Logon Audit Credential Validation Success and Failure Audit events generated by validation tests on user account logon credentials. Occurs only on the computer that is authoritative for those credentials.
Account Management Audit Security Group Management Success Audit events generated by changes to security groups, such as creating, changing or deleting security groups, adding or removing members, or changing group type.
Account Management Audit User Account Management Success and Failure Audit changes to user accounts. Events include creating, changing, deleting user accounts; renaming, disabling, enabling, locking out, or unlocking accounts; setting or changing a user account’s password; adding a security identifier (SID) to the SID History of a user account; configuring the Directory Services Restore Mode password; changing permissions on administrative user accounts; backing up or restoring Credential Manager credentials
Detailed Tracking Audit PNP Activity Success Audit when plug and play detects an external device
Detailed Tracking Audit Process Creation Success Audit events generated when a process is created or starts; the name of the application or user that created the process is also audited
Logon/ Logoff Audit Account Lockout Failure Audit events generated by a failed attempt to log on to an account that is locked out
Logon/ Logoff Audit Group Membership Success Audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
Logon/ Logoff Audit Logon Success and Failure Audit events generated by user account logon attempts on the computer
Logon/ Logoff Audit Other Logon / Logoff Events Success and Failure Audit other logon/logoff-related events that are not covered in the “Logon/Logoff” policy setting, such as Terminal Services session disconnections, new Terminal Services sessions locking and unlocking a workstation, invoking or dismissing a screen saver, detection of a Kerberos replay attack, or access to a wireless network granted to a user or computer account
Logon/ Logoff Audit Special Logon Success Audit events generated by special logons such as the use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level, or a logon by a member of a Special Group (Special Groups enable you to audit events generated when a member of a certain group has logged on to your network)
Object Access Audit Detailed File Share Failure Audit attempts to access files and folders on a shared folder; the Detailed File Share setting logs an event every time a file or folder is accessed
Object Access Audit File Share Success and Failure Audit attempts to access a shared folder; an audit event is generated when an attempt is made to access a shared folder
Object Access Audit Other Object Access Events Success and Failure Audit events generated by the management of task scheduler jobs or COM+ objects
Object Access Audit Removable Storage Success and Failure Audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested.
Policy Change Audit Audit Policy Change Success Audit changes in the security audit policy settings
Policy Change Audit Authentication Policy Change Success Audit events generated by changes to the authentication policy
Policy Change Audit MPSSVC Rule-Level Policy Change Success and Failure Audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC). This service is used by Windows Firewall.
Policy Change Audit Other Policy Change Events Failure Audit events generated by other security policy changes that are not audited in the policy change category, such as Trusted Platform Module (TPM) configuration changes, kernel-mode cryptographic self tests, cryptographic provider operations, cryptographic context operations or modifications, applied Central Access Policies (CAPs) changes, or boot Configuration Data (BCD) modifications
Privilege Use Audit Sensitive Privilege Use Success and Failure Audit events generated when sensitive privileges (user rights) are used
System Audit Other System Events Success and Failure Audit any of the following events: Startup and shutdown of the Windows Firewall service and driver, security policy processing by the Windows Firewall Service, cryptography key file and migration operations.
System Audit Security State Change Success Audit events generated by changes in the security state of the computer such as startup and shutdown of the computer, change of system time, recovering the system from CrashOnAuditFail, which is logged after a system restarts when the security event log is full and the CrashOnAuditFail registry entry is configured.
System Audit Security System Extension Success Audit events related to security system extensions or services
System Audit System Integrity Success and Failure Audit events that violate the integrity of the security subsystem

Windows Defender Firewall Policies

Feature Policy Setting Policy Value Description
Domain Profile / Logging Log dropped packets Yes Enables logging of dropped packets for a domain connection
Domain Profile / Logging Log successful connections Yes Enables logging of successful connections for a domain connection
Domain Profile / Logging Size Limit 16384 Sets the firewall log file size for a domain connection
Domain Profile / Settings Display a notification No The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the domain profile
Domain Profile / State Firewall State On Enables the firewall when connected to the domain profile
Domain Profile / State Inbound Connections Block Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the domain profile
Private Profile / Logging Log dropped packets Yes Enables logging of dropped packets for a private connection
Private Profile / Logging Log successful connections Yes Enables logging of successful connections for a private connection
Private Profile / Logging Size limit 16384 Sets the firewall log file size for a private connection
Private Profile / Settings Display a notification No The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the private profile
Private Profile / State Firewall state On Enables the firewall when connected to the private profile
Private Profile / State Inbound connections Block Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the private profile
Public Profile / Logging Log dropped packets Yes Enables logging of dropped packets for a public connection
Public Profile / Logging Log successful connections Yes Enables logging of successful connections for a public connection
Public Profile / Logging Size Limit 16384 Sets the firewall log file size for a public connection
Public Profile / Settings Apply local connection security rules No Ensures local connection rules will not be merged with Group Policy settings in the domain
Public Profile / Settings Apply local firewall rules No Users cannot create new firewall rules
Public Profile / Settings Display a notification No The display of notifications to the user is enabled when a program is blocked from receiving an inbound connection in the public profile
Public Profile / State Firewall state On Enables the firewall when connected to the public profile
Public Profile / State Inbound connections Block Unsolicited inbound connections for which there is no rule allowing the connection will be blocked in the public profile

Computer Policies

Feature Policy Setting Policy Value Description
Network / Lanman Workstation Enable insecure guest logons Disabled Determines if the SMB client will allow insecure guest logons to an SMB server
System / Device Guard Turn on Virtualization Based Security Enabled: SecureBoot and DMA Protection Specifies whether Virtualization Based Security is enabled. Virtualization Based Security uses the Windows Hypervisor to provide support for security services. Virtualization Based Security requires Secure Boot and can optionally be enabled with the use of DMA Protections. DMA protections require hardware support and will only be enabled on correctly configured devices.
System / Early Launch Antimalware Boot-Start Driver Initialization Policy Enabled: Good, Unknown and bad but critical Allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver.
System / Power Management / Sleep Settings Require a password when a computer wakes (on battery) Enabled Specifies whether the user is prompted for a password when the system resumes from sleep
System / Power Management / Sleep Settings Require a password when a computer wakes (plugged in) Enabled Specifies whether the user is prompted for a password when the system resumes from sleep
System / Remote Procedure Call Restrict Unauthenticated RPC clients Enabled: Authenticated Controls how the RPC server runtime handles unauthenticated RPC clients connecting to RPC servers.
Windows Components / App runtime Allow Microsoft accounts to be optional Enabled Lets you control whether Microsoft accounts are optional for Windows Store apps that require an account to sign in. This policy only affects Windows Store apps that support it.
Windows Components / AutoPlay Policies Disallow Autoplay for non-volume devices Enabled Disallows AutoPlay for MTP devices like cameras or phones.
Windows Components / AutoPlay Policies Set the default behavior for AutoRun Enabled: Do not execute any autorun commands Sets the default behavior for Autorun commands.
Windows Components / AutoPlay Policies Turn off Autoplay Enabled: All Drives Allows you to turn off the Autoplay feature.
Windows Components / Biometrics / Facial Features Configure enhanced anti-spoofing Enabled Determines whether enhanced anti-spoofing is required for Windows Hello face authentication
Windows Components / BitLocker Drive Encryption Choose drive encryption method and cipher strength (Windows 10) Enabled: XTA-AES-256 for operating system drives and fixed drives and AES-CBC-256 for removable drives Allows you to configure the algorithm and cipher strength used by BitLocker Drive Encryption. This policy setting is applied when you turn on BitLocker.
Windows Components / BitLocker Drive Encryption Disable new DMA devices when this computer is locked Enabled Allows you to block direct memory access (DMA) for all Thunderbolt hot pluggable PCI downstream ports until a user logs into Windows
Windows Components / BitLocker Drive Encryption / Operating System Drives Allow enhanced PINs for startup Enabled Allows you to configure whether enhanced startup PINs are used with BitLocker
Windows Components / BitLocker Drive Encryption / Operating System Drives Allow Secure Boot for integrity validation Enabled Allows you to configure whether Secure Boot will be allowed as the platform integrity provider for BitLocker operating system drives.
Windows Components / Event Log Service / Application Specify the maximum log file size (KB) Enabled: 32768 Specifies the maximum size of the log file in kilobytes.
Windows Components / Event Log Service / Security Specify the maximum log file size (KB) Enabled: 196608 Specifies the maximum size of the log file in kilobytes.
Windows Components / Event Log Service / System Specify the maximum log file size (KB) Enabled: 32768 Specifies the maximum size of the log file in kilobytes.
Windows Components / Microsoft Edge Configure Windows Defender SmartScreen Enabled Configure whether to turn on Windows Defender SmartScreen to provide warning messages to help protect your employees from potential phishing scams and malicious software
Windows Components / Windows Defender SmartScreen / Explorer Configure Windows Defender SmartScreen Warn and prevent bypass Allows you to turn Windows Defender SmartScreen on or off
Windows Components / Microsoft Edge Prevent bypassing Windows Defender SmartScreen prompts for files Enabled This policy setting lets you decide whether employees can override the Windows Defender SmartScreen warnings about downloading unverified files.
Windows Components / Windows Defender SmartScreen / Microsoft Edge Prevent bypassing Windows Defender SmartScreen prompts for sites Enabled Lets you decide whether employees can override the Windows Defender SmartScreen warnings about potentially malicious websites
Windows Components / Windows Installer Allow user control over installs Disabled Permits users to change installation options that typically are available only to system administrators
Windows Components / Windows Installer Always install with elevated privileges Disabled Directs Windows Installer to use elevated permissions when it installs any program on the system
Windows Components / Windows Logon Options Sign-in last interactive user automatically after a system-initiated restart Disabled Controls whether a device will automatically sign-in the last interactive user after Windows Update restarts the system
Windows Components / Windows Remote Management (WinRM) / WinRM Client Allow unencrypted traffic Disabled Manage whether the Windows Remote Management (WinRM) client sends and receives unencrypted messages over the network
Windows Components / Windows Remote Management (WinRM) / WinRM Service Allow unencrypted traffic Disabled Manage whether the Windows Remote Management (WinRM) service sends and receives unencrypted messages over the network.

Windows Defender Antivirus Policies

Feature Policy Setting Policy Value Description
Windows Components / Windows Defender Antivirus Turn off Windows Defender Antivirus Disabled Turns off Windows Defender Antivirus
Windows Components / Windows Defender Antivirus Configure detection for potentially unwanted applications Enabled: Audit Enable or disable detection for potentially unwanted applications. You can choose to block, audit, or allow when potentially unwanted software is being downloaded or attempts to install itself on your computer.
Windows Components / Windows Defender Antivirus / MAPS Join Microsoft MAPS Enabled: Advanced MAPS Allows you to join Microsoft MAPS. Microsoft MAPS is the online community that helps you choose how to respond to potential threats. The community also helps stop the spread of new malicious software infections.
Windows Components / Windows Defender Antivirus / MAPS Send file samples when further analysis is required Enabled: Send safe samples Configures behavior of samples submission when opt-in for MAPS telemetry is set
Windows Components / Windows Defender Antivirus / Real-time Protection Turn off real-time protection Disabled Turns off real-time protection prompts for known malware detection
Windows Components / Windows Defender Antivirus / Real-time Protection Turn on behavior monitoring Enabled Allows you to configure behavior monitoring.
Windows Components / Windows Defender Antivirus / Scan Scan removable drives Enabled Allows you to manage whether to scan for malicious software and unwanted software in the contents of removable drives, such as USB flash drives, when running a full scan.
Windows Components / Windows Defender Antivirus / Scan Specify the interval to run quick scans per day 24 Allows you to specify an interval at which to perform a quick scan. The time value is represented as the number of hours between quick scans. Valid values range from 1 (every hour) to 24 (once per day).
Windows Components / Windows Defender Antivirus / Scan Turn on e-mail scanning Enabled Allows you to configure e-mail scanning. When e-mail scanning is enabled, the engine will parse the mailbox and mail files, according to their specific format, in order to analyze the mail bodies and attachments

User Policies

Feature Policy Setting Policy Value Description
Start Menu and Taskbar / Notifications Turn off toast notifications on the lock screen Enabled Turns off toast notifications on the lock screen.
Windows Components / Cloud Content Do not suggest third-party content in the Windows spotlight Enabled Windows spotlight features like lock screen spotlight, suggested apps in Start menu or Windows tips will no longer suggest apps and content from third-party software publishers

IE Computer Policies

Feature Policy Setting Policy Value Description
Windows Components / Internet Explorer Prevent managing SmartScreen Filter Enabled: On Prevents the user from managing SmartScreen Filter, which warns the user if the website being visited is known for fraudulent attempts to gather personal information through "phishing," or is known to host malware.
Windows Components / Internet Explorer / Internet Control Panel / Advanced Page Check for server certificate revocation Enabled Allows you to manage whether Internet Explorer will check revocation status of servers' certificates
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone Don't run antimalware programs against ActiveX controls Enabled: Disable Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone Turn on Cross-Site Scripting Filter Enabled: Enable Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone Turn on Protected Mode Enabled: Enable Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone Turn on SmartScreen Filter scan Enabled: Enable Controls whether SmartScreen Filter scans pages in this zone for malicious content.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Internet Zone Use Pop-up Blocker Enabled: Enable Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone Don't run antimalware programs against ActiveX controls Enabled: Disable Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Intranet Zone Java permissions Enabled: High Safety Allows you to manage permissions for Java applets. High Safety enables applets to run in their sandbox. Disable Java to prevent any applets from running.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Local Machine Zone Don't run antimalware programs against ActiveX controls Enabled: Disable Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-down Internet Zone Turn on SmartScreen Filter scan Enabled: Enable Controls whether SmartScreen Filter scans pages in this zone for malicious content.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Restricted Sites Zone Turn on SmartScreen Filter scan Enabled: Enable Controls whether SmartScreen Filter scans pages in this zone for malicious content.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone Don't run antimalware programs against ActiveX controls Enabled: Disable Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone Turn on Cross-Site Scripting Filter Enabled: Enable Controls whether the Cross-Site Scripting (XSS) Filter will detect and prevent cross-site script injections into websites in this zone.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone Turn on Protected Mode Enabled: Enable Allows you to turn on Protected Mode. Protected Mode helps protect Internet Explorer from exploited vulnerabilities by reducing the locations that Internet Explorer can write to in the registry and the file system.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone Turn on SmartScreen Filter scan Enabled: Enable Controls whether SmartScreen Filter scans pages in this zone for malicious content.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Locked-Down Trusted Sites Zone Java permissions Enabled: Enable Allows you to configure policy settings according to the default for the selected security level, such Low, Medium, or High.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Restricted Sites Zone Use Pop-up Blocker Enabled: Enable Allows you to manage whether unwanted pop-up windows appear. Pop-up windows that are opened when the end user clicks a link are not blocked.
Windows Components / Internet Explorer / Internet Control Panel / Security Page / Trusted Sites Zone Don't run antimalware programs against ActiveX controls Enabled: Disable Determines whether Internet Explorer runs antimalware programs against ActiveX controls, to check if they're safe to load on pages.
Windows Components / Internet Explorer / Security Features Allow fallback to SSL 3.0 (Internet Explorer) Enabled: No sites Allows you to block an insecure fallback to SSL 3.0. When this policy is enabled, Internet Explorer will attempt to connect to sites using SSL 3.0 or below when TLS 1.0 or greater fails.

LAPS

Download and install the Microsoft Local Admin Password Solution (LAPS).

Feature Policy Setting Policy Value Description
LAPS Enable local admin password management Enabled Activates LAPS for the device

Custom Policies

Feature Policy Setting Policy Value Description
Computer Configuration / Administrative Templates / MS Security Guide Apply UAC restrictions to local accounts on network logon Enabled Filters the user account token for built-in administrator accounts for network logons

Services

Feature Policy Setting Policy Value Description
Scheduled Task XblGameSaveTask Disabled Syncs save data for Xbox Live save-enabled games
Services Xbox Accessory Management Service Disabled Manages connected Xbox accessories
Services Xbox Game Monitoring Disabled Monitors Xbox games currently being played
Services Xbox Live Auth Manager Disabled Provides authentication and authorization services for interactive with Xbox Live
Services Xbox Live Game Save Disabled Syncs save data for Xbox live save enabled games
Services Xbox Live Networking Service Disabled Supports the Windows.Networking.XboxLive API

Controls

The controls enabled in level 5 enforce a reasonable security level while minimizing the impact to users and applications.

Feature Config Description
Windows Defender ATP EDR Deployed to all devices The Windows Defender ATP endpoint detection and response (EDR) provides actionable and near real-time detection of advanced attacks. EDR helps security analysts , and aggregates alerts with the same attack techniques or attributed to the same attacker into an an entity called an incident. An incident helps analysts prioritize alerts, collectively investigate the full scope of a breach, and respond to threats. Windows Defender ATP EDR is not expected to impact users or applications, and it can be deployed to all devices in a single step.
Windows Defender Credential Guard Enabled for all compatible hardware Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets (TGTs), and credentials stored by applications as domain credentials. There is a small risk to application compatibility, as applications will break if they require NTLMv1, Kerberos DES encryption, Kerberos unconstrained delegation, or extracting the Keberos TGT. As such, Microsoft recommends deploying Credential Guard using the rings methodology.
Microsoft Edge Default browser Microsoft Edge in Windows 10 provides better security than Internet Explorer 11 (IE11). While you may still need to leverage IE11 for compatibility with some sites, Microsoft recommends configuring Microsoft Edge as the default browser, and building an Enterprise Mode Site List to redirect to IE11 only for those sites that require it. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Enterprise Mode Site List, and then gradually deploying this configuration using the rings methodology.
Windows Defender Application Guard Enabled on compatible hardware Windows Defender Application Guard uses a hardware isolation approach. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated container, which is separate from the host operating system and enabled by Hyper-V. If the untrusted site turns out to be malicious, the isolated container protects the host PC, and the attacker can't get to your enterprise data. There is a small risk to application compatibility, as some applications may require interaction with the host PC but may not yet be on the list of trusted web sites for Application Guard. Microsoft recommends leveraging either Windows Analytics or Enterprise Site Discovery to build the initial Network Isolation Settings, and then gradually deploying this configuration using the rings methodology.

Behaviors

The behaviors recommended in level 5 enforce a reasonable security level while minimizing the impact to users or to applications.

Feature Config Description
OS security updates Deploy Windows Quality Updates within 7 days of release As the time between the release of a patch and an exploit based on the reverse engineering of that patch continues to shrink, a critical aspect of security hygiene is having an engineering process that quickly validates and deploys Quality Updates that address security vulnerabilities.