New GPO Settings in Windows 10 Update version 1903, Based on Security Baseline (DRAFT).
Scope | Policy Path | Help Text |
---|---|---|
Machine | Windows Components\App Privacy | This policy setting specifies whether Windows apps can be activated by voice. If you choose the “User is in control” option employees in your organization can decide whether Windows apps can be activated with a voice keyword by using Settings > Privacy on the device. If you choose the “Force Allow” option Windows apps are allowed to be activated with a voice keyword and employees in your organization cannot change it. If you choose the “Force Deny” option Windows apps are not allowed to be activated with a voice keyword and employees in your organization cannot change it. If you disable or do not configure this policy setting employees in your organization can decide whether Windows apps can be activated with a voice keyword by using Settings > Privacy on the device. This policy is applied to Windows apps and Cortana. |
Machine | Windows Components\App Privacy | This policy setting specifies whether Windows apps can be activated by voice while the system is locked.If you choose the “User is in control” option employees in your organization can decide whether users can interact with applications using speech while the system is locked by using Settings > Privacy on the device.If you choose the “Force Allow” option users can interact with applications using speech while the system is locked and employees in your organization cannot change it.If you choose the “Force Deny” option users cannot interact with applications using speech while the system is locked and employees in your organization cannot change it.If you disable or do not configure this policy setting employees in your organization can decide whether users can interact with applications using speech while the system is locked by using Settings > Privacy on the device.This policy is applied to Windows apps and Cortana. It takes precedence of the Allow Cortana above lock policy. This policy is applicable only when Allow voice activation policy is configured to allow applications to be activated with voice. |
Machine | Windows Components\Credential User Interface | If you turn this policy setting on local users won’t be able to set up and use security questions to reset their passwords. |
Machine | Windows Components\Data Collection and Preview Builds | AllowCommercialDataPipeline opts the device into the Windows enterprise data pipeline. If you enable this setting data collected from the device will be opted into the Windows enterprise data pipeline. If you disable or don’t configure this setting all data from the device will be collected and processed in accordance with our policies for the Windows standard data pipeline. Configuring this setting does not change the telemetry collection level or the ability of the user to change the level. This setting only applies to the Windows operating system and apps included with Windows not third-party apps or services running on Windows 10. |
Machine | Windows Components\Delivery Optimization | Set this policy to delay the fallback from Cache Server to the HTTP source for a background content download by X seconds. Note: if you set the policy to delay background download from http it will apply first (to allow downloads from peers first). |
Machine | Windows Components\Delivery Optimization | Set this policy to delay the fallback from Cache Server to the HTTP source for a foreground content download by X seconds. Note: if you set the policy to delay foreground download from http it will apply first (to allow downloads from peers first). |
Machine | System\Logon | This policy setting disables the acrylic blur effect on logon background image. If you enable this policy the logon background image shows without blur. If you disable or do not configure this policy the logon background image adopts the acrylic blur effect. |
Machine | System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool | This policy setting applies recommended troubleshooting for known problems on the device and lets administrators configure how it’s applied to their domains/IT environments.Not configuring this policy setting will allow the user to configure if and how recommended troubleshooting is applied.Enabling this policy allows you to configure how recommended troubleshooting is applied on the users device. You can select from one of the following values:0 = Turn this feature off.1 = Turn this feature off but still apply critical troubleshooting.2 = Notify users when recommended troubleshooting is available then allow the user to run or ignore it.3 = Run recommended troubleshooting automatically and notify the user after it’s been successfully run.4 = Run recommended troubleshooting automatically without notifying the user.5 = Allow the user to choose their own recommended troubleshooting settings.After setting this new setting to trigger recommended troubleshooting for devices in your domain follow these instructions:1. Create a bat script with the following contents:rem The following batch script triggers Recommended TroubleshootingC:\Windows\System32\mitigationscanner.exe2. To create a new immediate task navigate to the Group Policy Management Editor > Computer Configuration > Preferences and select Control Panel Settings. 3. Under Control Panel settings right-click on Scheduled Tasks and select New. Select Immediate Task (At least Windows 7).4. Provide name and description as appropriate then under Security Options set the user account to System and select the Run with highest privileges checkbox.5. In the Actions tab create a new action select Start a Program as it’s type then enter the file created in step 1.6. Configure the task to deploy to your domain. |
Machine | System\Service Control Manager Settings\Security Settings | This policy setting enables process mitigation options on svchost.exe processes.If you enable this policy setting built-in system services hosted in svchost.exe processes will have stricter security policies enabled on them.This includes a policy requiring all binaries loaded in these processes to be signed by microsoft as well as a policy disallowing dynamically-generated code.If you disable or do not configure this policy setting these stricter security settings will not be applied. |
Machine | System\Storage Sense | Storage Sense can automatically clean some of the users files to free up disk space. By default Storage Sense is automatically turned on when the machine runs into low disk space and is set to run whenever the machine runs into storage pressure. This cadence can be changed in Storage settings or set with the “Configure Storage Sense cadence” group policy.Enabled:Storage Sense is turned on for the machine with the default cadence as during low free disk space. Users cannot disable Storage Sense but they can adjust the cadence (unless you also configure the “Configure Storage Sense cadence” group policy). Disabled:Storage Sense is turned off the machine. Users cannot enable Storage Sense.Not Configured:By default Storage Sense is turned off until the user runs into low disk space or the user enables it manually. Users can configure this setting in Storage settings. |
Machine | System\Storage Sense | Storage Sense can automatically clean some of the users files to free up disk space.If the group policy “Allow Storage Sense” is disabled then this policy does not have any effect.Enabled:You must provide the desired Storage Sense cadence. Supported options are: daily weekly monthly and during low free disk space. The default is 0 (during low free disk space). Disabled or Not Configured:By default the Storage Sense cadence is set to during low free disk space. Users can configure this setting in Storage settings. |
Machine | System\Storage Sense | When Storage Sense runs it can delete the users temporary files that are not in use.If the group policy “Allow Storage Sense” is disabled then this policy does not have any effect. Enabled:Storage Sense will delete the users temporary files that are not in use. Users cannot disable this setting in Storage settings. Disabled:Storage Sense will not delete the users temporary files. Users cannot enable this setting in Storage settings.Not Configured:By default Storage Sense will delete the users temporary files. Users can configure this setting in Storage settings. |
Machine | System\Storage Sense | When Storage Sense runs it can delete files in the users Recycle Bin if they have been there for over a certain amount of days.If the group policy “Allow Storage Sense” is disabled then this policy does not have any effect.Enabled:You must provide the minimum age threshold (in days) of a file in the Recycle Bin before Storage Sense will delete it. Support values are: 0 – 365.If you set this value to zero Storage Sense will not delete files in the users Recycle Bin. The default is 30 days.Disabled or Not Configured:By default Storage Sense will delete files in the users Recycle Bin that have been there for over 30 days. Users can configure this setting in Storage settings. |
Machine | System\Storage Sense | When Storage Sense runs it can delete files in the users Downloads folder if they have been there for over a certain amount of days.If the group policy “Allow Storage Sense” is disabled then this policy does not have any effect.Enabled:You must provide the minimum age threshold (in days) of a file in the Downloads folder before Storage Sense will delete it. Support values are: 0 – 365.If you set this value to zero Storage Sense will not delete files in the users Downloads folder. The default is 0 or never deleting files in the Downloads folder. Disabled or Not Configured:By default Storage Sense will not delete files in the users Downloads folder. Users can configure this setting in Storage settings. |
Machine | System\Storage Sense | When Storage Sense runs it can dehydrate cloud-backed content that hasn’t been opened in a certain amount of days.If the group policy “Allow Storage Sense” is disabled then this policy does not have any effect.Enabled:You must provide the number of days since a cloud-backed file has been opened before Storage Sense will dehydrate it. Support values are: 0 – 365.If you set this value to zero Storage Sense will not dehydrate any cloud-backed content. The default value is 0 or never dehydrating cloud-backed content.Disabled or Not Configured:By default Storage Sense will not dehydrate any cloud-backed content. Users can configure this setting in Storage settings. |
Machine | Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment | This policy setting lets you enable WDDM graphics display driver for Remote Desktop Connections.If you enable or do not configure this policy setting Remote Desktop Connections will use WDDM graphics display driver.If you disable this policy setting Remote Desktop Connections will NOT use WDDM graphics display driver. In this case the Remote Desktop Connections will use XDDM graphics display driver.For this change to take effect you must restart Windows. |
Machine | Windows Components\Windows Defender Antivirus\Security Intelligence Updates | This policy setting allows you to define the security intelligence location for VDI-configured computers. If you disable or do not configure this setting security intelligence will be referred from the default local source. |
Machine | Windows Components\Windows Update | This policy lets you specify the number of days that a user has before quality and feature updates are installed on their devices automatically and a grace period after which required restarts occur automatically. Updates and restarts will occur regardless of active hours and the user will not be able to reschedule.Deadlines for feature updates and quality updates can be up to 30 days. The auto-restart grace period can be from 0 to 7 days.You can also disable auto-restarts until the end of the auto-restart grace period.If you disable or do not configure this policy devices will get updates and will restart according to the default schedule.This policy will override the following policies: 1. Specify deadline before auto restart for update installation 2. Specify Engaged restart transition and notification schedule for updates 3. Always automatically restart at the scheduled time 4. No auto-restart with logged on users for scheduled automatic updates installation |
Machine | Windows Components\Windows Logon Options | This policy setting controls the configuration under which an automatic restart and sign on and lock occurs after a restart or cold boot. If you chose Disabled in the Sign-in and lock last interactive user automatically after a restart policy then automatic sign on will not occur and this policy does not need to be configured.If you enable this policy setting you can choose one of the following two options:1. Enabled if BitLocker is on and not suspended specifies that automatic sign on and lock will only occur if BitLocker is active and not suspended during the reboot or shutdown. Personal data can be accessed on the devices hard drive at this time if BitLocker is not on or suspended during an update. BitLocker suspension temporarily removes protection for system components and data but may be needed in certain circumstances to successfully update boot-critical components. BitLocker is suspended during updates if: – The device doesn’t have TPM 2.0 and PCR7 or – The device doesn’t use a TPM-only protector 2. Always Enabled specifies that automatic sign on will happen even if BitLocker is off or suspended during reboot or shutdown. When BitLocker is not enabled personal data is accessible on the hard drive. Automatic restart and sign on should only be run under this condition if you are confident that the configured device is in a secure physical location.If you disable or don’t configure this setting automatic sign on will default to the Enabled if BitLocker is on and not suspended behavior. |
The changes from the Windows 10 v1809 baseline include:
- Enabling the new “Enable svchost.exe mitigation options” policy, which enforces stricter security on Windows services hosted in svchost.exe, including that all binaries loaded by svchost.exe must be signed by Microsoft, and that dynamically-generated code is disallowed. Please pay special attention to this one as it might cause compatibility problems with third-party code that tries to use the svchost.exe hosting process, including third-party smart-card plugins.
- Configuring the new App Privacy setting, “Let Windows apps activate with voice while the system is locked,” so that users cannot interact with applications using speech while the system is locked.
- Disabling multicast name resolution (LLMNR) to mitigate server spoofing threats.
- Restricting the NetBT NodeType to P-node, disallowing the use of broadcast to register or resolve names, also to mitigate server spoofing threats. We have added a setting to the custom “MS Security Guide” ADMX to enable managing this configuration setting through Group Policy.
- Correcting an oversight in the Domain Controller baseline by adding recommended auditing settings for Kerberos authentication service.
- Dropping the password-expiration policies that require periodic password changes. This change is discussed in further detail below.
- Dropping the specific BitLocker drive encryption method and cipher strength settings. The baseline has been requiring the strongest available BitLocker encryption. We are removing that item for a few reasons. The default is 128-bit encryption, and our crypto experts tell us that there is no known danger of its being broken in the foreseeable future. On some hardware there can be noticeable performance degradation going from 128- to 256-bit. And finally, many devices such as those in the Microsoft Surface line turn on BitLocker by default and use the default algorithms. Converting those to use 256-bit requires first decrypting the volumes and then re-encrypting, which creates temporary security exposure as well as user impact.
- Dropping the File Explorer “Turn off Data Execution Prevention for Explorer” and “Turn off heap termination on corruption” settings, as it turns out they merely enforce default behavior.
You can download Security Baseline (DRAFT) v1903 here.