Microsoft Releases Final Security Baseline Recommendations for Windows 10 Creators Update

Richard Hay, Senior Content Producer

August 31, 2017

2 Min Read
Cyber Security Warning

Whether you have already rolled out the Windows 10 Creators Update to your end users or are currently testing the feature update in your own evaluation rings, the baseline security recommendations from Microsoft give you a good starting place for establishing security settings for these devices.

Back in June of this year, Microsoft released their draft version of the security baseline for the Creators Update so that IT Pros and System Admins could evaluate them and provide feedback.

This week they finalized the feedback and are now providing a download that contains a collection of documents that lay out the documentation, GP Reports, GPOs, Local Scripts, Templates, and WMI Filters that can be used as a baseline to then create your own default security posture for the Creators Update.

According to Microsoft these updates will be added to the Security Compliance Toolkit only as the Security Compliance Manager tool has been retired.

There are just three differences between the draft recommendations and the final ones:

-- The security settings that disallowed Internet Explorer from using downloaded fonts in the Internet and Restricted Sites zones have been removed. This change in IE11 recommendations applies only to Windows 10, and is possible because of Windows 10's additional mitigations as described in the blog post, Dropping the "Untrusted Font Blocking" setting.

-- The enforcement of the default for the User Rights Assignment, Generate security audits (SeAuditPrivilege), has been removed. Enforcing the default does not mitigate contemporary security threats, and hampers the functionality of programs such as System Center Operations Manager (SCOM) that need to change the default.

-- We are enabling the setting, "Do not suggest third-party content in Windows spotlight" in User ConfigurationAdministrative TemplatesWindows ComponentsCloud Content. Enabling this setting is consistent with our having previously enabled "Turn off Microsoft consumer experiences."

Having a solid baseline is a good starting point as you look towards rolling out the Creators Update in your own organization.

----------

But, wait...there's probably more so be sure to follow me on Twitter and Google+.

----------------------------------

Read more about:

Microsoft

About the Author

Richard Hay

Senior Content Producer, IT Pro Today (Informa Tech)

I served for 29 plus years in the U.S. Navy and retired as a Master Chief Petty Officer in November 2011. My work background in the Navy was telecommunications related so my hobby of computers fit well with what I did for the Navy. I consider myself a tech geek and enjoy most things in that arena.

My first website – AnotherWin95.com – came online in 1995. Back then I used GeoCities Web Hosting for it and WindowsObserver.com is the result of the work I have done on that site since 1995.

In January 2010 my community contributions were recognized by Microsoft when I received my first Most Valuable Professional (MVP) Award for the Windows Operating System. Since then I have been renewed as a Microsoft MVP each subsequent year since that initial award. I am also a member of the inaugural group of Windows Insider MVPs which began in 2016.

I previously hosted the Observed Tech PODCAST for 10 years and 317 episodes and now host a new podcast called Faith, Tech, and Space. 

I began contributing to Penton Technology websites in January 2015 and in April 2017 I was hired as the Senior Content Producer for Penton Technology which is now Informa Tech. In that role, I contribute to ITPro Today and cover operating systems, enterprise technology, and productivity.

https://twitter.com/winobs

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like