Microsoft Security Baseline–Configuration Details
The Microsoft Security Baseline (MSB) configurations enforce secure and complaint configurations, ensuring they meet Microsoft's security standards to protect your Windows Modern devices.
Note: The default configuration values are in accordance with
Microsoft's recommended default baseline settings (see Windows Security Baseline
Settings).
Experience
| Configuration | Description |
|---|---|
| Allow Cortana Above Lock | Enables users to interact with Cortana via speech while the system is
locked. Note: Requires Windows 10 version 1607 and
later. |
| Allow Toasts | Enables toast notifications to appear on the device lock screen. Note: Requires Windows 10 version 1607 and
later. |
| Windows Ink Workspace | Enables Windows Ink Workspace support for Windows Modern devices. Note: Requires Windows 10 version 1607 and
later. |
| Suggested Apps in Windows Ink Workspace | Enables suggested applications in Windows Ink Workspace. Note: Requires Windows 10 version 1607 and
later. |
| Windows Spotlight | Enable to turn off Windows Spotlight on the lock screen, Windows Tips,
Microsoft consumer features, and other related functionalities. Note: Requires Windows 10 version 1607 and
later. Note: This policy is not supported in
Windows Pro Edition. |
| Windows Spotlight on Action Center | Enable to turn off Windows Spotlight notifications on the Action
Center. Note: Requires Windows 10 version 1703 and
later. Note: This policy is not supported in
Windows Pro Edition. |
| Windows Spotlight on Settings | Enable to turn off suggestions in the Settings app. Note: Requires Windows 10 version 1803 and
later. Note: This policy is not supported in
Windows Pro Edition. |
| Windows Spotlight Windows Welcome Experience | Enable to turn off the Windows Spotlight Windows Welcome Experience
feature. Note: Requires Windows 10 version 1703 and
later. Note: This policy is not supported in
Windows Pro Edition. |
| Windows Spotlight on Lock Screen | Enables suggested apps in Windows Ink Workspace. Note: Requires Windows 10 version 1607 and
later. Note: This policy is not supported in
Windows Pro Edition. |
| Browser Syncing by Users | Disables syncing for the "browser" group and prevents users from
enabling the "Sync your settings" toggle in the settings. Note: Requires Windows 10 version 1809 and
later. Note: This policy is not supported in
Windows Pro Edition. |
| Auto Play for Non-volume Devices | Disables AutoPlay for MTP devices, such as cameras and phones. Note: Requires Windows 10 version 1809 and
later. |
| Default Auto Run Behavior | Enables administrators to change the default Auto Run behavior for
Windows Vista and later versions. Note: Requires
Windows 10 version 1703 and later. |
| Auto Run Commands Launch Behavior | Configure the default behavior of Auto Run commands.
Note: Requires Windows 10 version 1703 and
late
|
| Customized Warning Messages | Enable to override the default message with a warning message. Note: Requires Windows 10 version 1703 and
later. |
| Warning Message Before Sharing Control | Enter a warning message to display before starting the screen share. |
| Warning Message Before Connecting | Enter a warning message to display before starting the connection. |
| Sessions Logging | Enables the generation of log files, which are saved in the user's
Documents folder under Remote Assistance. Note: Requires Windows 10 version 1703 and later. |
| Solicited Remote Assistance | Enables users to request help via email or file transfer and use
instant messaging programs to establish connections. Note: Requires Windows 10 version 1703 and
later. |
| Permit Remote Control | Specify the permissions that helpers have for remote control access:
|
| Maximum Ticket Time | Specify the duration for which a remote assistance invitation, created via email or file transfer, can remain open. |
| Method for Sending Email Invitations | Select a method for sending remote assistance invitations:
|
| Helpers | Enter the helper details. |
| Client Connection Encryption Level | Specify the encryption method to use for communications between clients
and RD Session Host servers during remote connections. Select an encryption
level:
Note: Requires Windows 10 version 1703 and
later. |
| Block Drive Redirection | Prevents the mapping of client drives during a Remote Desktop Services
session. Note: Requires Windows 10 version 1703 and
later. |
| Block Password Saving | Disables the password saving checkbox in Remote Desktop Connection to
prevent users from saving passwords. Note: Requires
Windows 10 version 1703 and later. |
| Prompt for Password Upon Connection | Enable to require Remote Desktop Services to prompt the client for a
password every time a connection is established. Note: Requires Windows 10 version 1703 and later. |
| Secure RPC Communication | Blocks unsecured communication with untrusted clients, ensuring Remote
Desktop Services only accepts requests from RPC clients that support secure
requests. Note: Requires Windows 10 version 1703
and later. |
| Client Digest Authentication | Disables Digest Authentication for the Windows Remote Management
(WinRM) client. Note: Requires Windows 10 version 1703
and later. |
| RunAs Credentials | Disables sending of RunAsUser or RunAsPassword configuration values for
any plug-ins. If a plug-in was already set, the RunAsPassword value is
erased from the credential store. Note: Requires
Windows 10 version 1703 and later. |
| Client Basic Authentication | Enables the WinRM service to accept basic authentication of a remote
client. Note: Requires Windows 10 version 1709 and
later. |
| Basic Authentication | Disables unsecured communication with untrusted clients, ensuring
Remote Desktop Services only accepts requests from RPC clients that support
secure requests. Note: Requires Windows 10 version 1703
and later. |
| Client Unencrypted Traffic | Enables WinRM client to send or receive only encrypted messages over
the network. Note: Requires Windows 10 version 1709 and
later. |
| Unauthenticated RPC Clients | Enables the RPC server runtime to block unauthenticated RPC clients
from connecting to RPC servers on the machine. Note: Requires Windows 10 version 1703 and later. |
| Runtime Unauthenticated Client Restriction to Apply | Specify the restriction level for RPC clients:
|
Network & System
| Configuration | Description |
|---|---|
| Block Connection with Non-Domain Networks | Disables simultaneous connections to both domain-based and
non-domain-based networks. Note: Requires Windows 10
version 1803 and later. |
| Hardened UNC Path | Enables secure access to UNC paths by preventing unauthorized
connections. Note: Requires Windows 10 version 1703
and later. |
| UNC Path | Specify hardened network paths to enhance security. |
| IPv6 Source Routing Protection Level | Disables additional protection and allows source routed packages.
Choose the protection level from:
Note: Requires Windows 10 version 1803 and
later. |
| IP Source Routing Protection Level | Disables additional protection and allows source routed packages.
Choose the protection level from:
Note: Requires Windows 10 version 1803 and
later. |
| Ignore NetBIOS Name Release Requests | Enables the computer to ignore NetBIOS name release requests from all
sources except WINS servers. Note: Requires Windows 10
version 1803 and later. |
| ICMP Redirects to Override OSPF Generated Routes | Enables ICMP redirects to take precedence over OSPF generated
routes. Note: Requires Windows 10 version 1803 and
later. |
| PowerShell Script Block Logging | Enables Windows PowerShell to log the processing of commands, script
blocks, functions, and scripts, whether invoked interactively or through
automation. Note: Requires Windows 10 version 1803
and later. |
| Log Script Block Invocation Start/ Stop Events | Configures start and stop events for script logging. |
| Remote Host Allows Delegation of Non Exportable Credentials | Enables support for Restricted Admin mode or Remote Credential
Guard. Note: Requires Windows 10 version 1803 and
later. |
| Password Reveal | Hides the password reveal button after the user types a password. Note: Requires Windows 10 version 1703 and
later. |
| Enumerate Administrators | Displays all local administrator accounts on the PC, allowing the user
to select one and enter the correct password. Note: Requires Windows 10 version 1703 and later. |
| Hibernate | Enables hibernation on the machine. Note: Requires
Windows 11 version 21H2 and later. |
| Allow Standby States when Sleeping on Battery | Enables Windows to use standby states for putting the computer into a
sleep state. Note: Requires Windows 10 version 1803 and
later. |
| Require Password on Wake while on Battery | Enable to prompt the user for a password when the system resumes from
sleep. Note: Requires Windows 10 version 1703 and
later. |
| Display Off Timeout on Battery | Set the period of inactivity before Windows turns off the display when
running on battery power. Specify the Idle Time Allowed before
Display Turns Off from 0–4294967295 seconds. Note: Requires Windows 10 version 1709 and
later. |
| Display Off Timeout Plugged In | Set the period of inactivity before Windows turns off the display when
plugged in. Specify the Idle Time Allowed before Display Turns
Off from 0–4294967295 seconds. Note: Requires Windows 10 version 1709 and later. |
| Energy Saver Battery Threshold on Battery | Set the battery charge level to activate Energy Saver when running on
battery power. Set Energy Saver Battery Threshold on
Battery from 0–100. Note: Requires
Windows 10 version 1903 and later. |
| Energy Saver Battery Threshold Plugged In | Set the battery charge level to activate Energy Saver when plugged in.
Set Energy Saver Battery Threshold Plugged In from
0–100. Note: Requires Windows 10 version 1903 and
later. |
| Hibernate Timeout on Battery | Set the period of inactivity before Windows transitions the system to
hibernate when running on battery power. Set Idle Time Allowed
before Hibernating from 0–4294967295 seconds. Note: Requires Windows 10 version 1709 and
later. |
| Hibernate Timeout Plugged In | Set the period of inactivity before Windows transitions the system to
hibernate when plugged in. Set Idle Time Allowed before
Hibernating from 0–4294967295 seconds. Note: Requires Windows 10 version 1709 and
later. |
Security
| Configuration | Description |
|---|---|
| Allow Cloud Search | Enables Search and Cortana to access and retrieve information from
cloud services such as OneDrive and SharePoint. Note: Requires Windows 10 version 1709 and later. |
| Allow Find My Files | Enables Find My Files on the machine. Note: Requires Windows 10 version 1903 and later. |
| Allow Indexing Encrypted Stores or Items | Enables indexing to attempt the decryption and indexing of
content. Note: Requires Windows 10 version 1607 and
later. |
| Do Not Use Web Results | Disables the display of web results when a user performs a query in a
search and prevents the search highlights from appearing in the search
box. Note: Requires Windows 10 version 1803 and
later. Note: This policy is not supported in
Windows Pro Edition. |
| Configure SMBV1 Client Driver | Enables the configuration of the SMBv1 Client driver. Note: Requires Windows 10 version 1803 and
later. |
| Client Driver Configuration | Select the SMBv1 configuration type:
|
| Configure SMBV1 Server | Enables the configuration of server-side processing of the SMBv1
protocol. Note: Requires Windows 10 version 1803
and later. |
| Apply UAC Restrictions to Local Accounts on Network Logon | Enables the application of UAC token filtering to local accounts during
network logins. Note: Requires Windows 10 version 1803
and later. |
| Structured Exception Handling Overwrite Protection | Enables the enforcement of Structured Exception Handling Overwrite
Protection. Note: Requires Windows 10 version 1803
and later. |
| Digest Authentication | Enables the use of Digest authentication by the WinRM client. Note: Requires Windows 10 version 1803 and
later. |
| Block Remote Logon with Blank Password | Enable to restrict local accounts with blank passwords to console
logins only. Note: Requires Windows 10 version 1803 and
later. |
| Device Inactivity Time Before Suspending Session | Specify the duration of continuous idle time in a Server Message Block (SMB) session before suspending due to inactivity. Range 0–99999. |
| Smart Card Removal Behavior | Specify the behavior when a logged in user's smart card is removed from
the smart card reader:
Note: Requires Windows 10 version 1803 and
later. |
| Require Client to Always Digitally Sign Communications | Disables a Microsoft network client from communicating with a Microsoft
network server unless the server agrees to perform SMB packet signing. Note: Requires Windows 10 version 1809 and
later. |
| Require Server to Always Digitally Signing Communication | Enables a Microsoft network client to request SMB packet signing from
the server during session setup. Note: Requires Windows
10 version 1803 and later. |
| Prevent Clients From Sending Unencrypted Passwords to Third Party SMB Providers | Enables the Server Message Block (SMB) redirector to send plain-text
passwords to non-Microsoft SMB servers that do not support password
encryption during authentication. Note: Requires
Windows 10 version 1803 and later. |
| Anonymous Enumeration of SAM Accounts | Disables the enumeration of SAM accounts by replacing 'Everyone' with
'Authenticated Users' in the security permissions for resources. Note: Requires Windows 10 version 1803 and
later. |
| Anonymous Enumeration of SAM Accounts and Shares | Disables the enumeration of SAM accounts and shares. Note: Requires Windows 10 version 1803 and
later. |
| Anonymous Access to Named Pipes and Shares | Disables anonymous access to shares and pipes. Note: Requires Windows 10 version 1803 and
later. |
| Remote Calls to Security Accounts Manager | Disables remote RPC connections to SAM. Note: Requires Windows 10 version 1709 and later. |
| Network Security Accounts | Enter the Network Security Account details. |
| Network Security LAN Manager Authentication Level | Configure the security setting to specify the challenge/response
authentication protocol used for network logins. Note: Requires Windows 10 version 1803 and later. |
| Minimum Session Security for NTLM SSP Based Clients | Sets the minimum session security for NTLM SSP based clients. Note: Requires Windows 10 version 1809 and
later. |
| Minimum Session Security for NTLM SSP Based Servers | Sets the minimum session security for NTLM SSP based servers. Note: Requires Windows 10 version 1803 and
later. |
| Administrator Elevation Prompt Behavior | Set the behavior of the elevation prompt for administrator. Note: Requires Windows 10 version 1709 and
later. |
| Standard User Elevation Prompt Behavior | Set the behavior of the elevation prompt for standard users. Note: Requires Windows 10 version 1709 and
later. |
| Detect Application Installations and Prompt for Elevation | Enables prompting the user to enter an administrative username and
password when detecting an application installation package that requires
elevation of privileges. Note: Requires Windows 10
version 1709 and later. |
| Only Allow UI Access Applications for Secure Locations | Enables applications to run with UI Access integrity only if it resides
in a secure location within the file system. Note: Requires Windows 10 version 1709 and later. |
| Require Admin Approval Mode for Administrators | Enables the administrator account and all other users who are members
of the Administrators group to run in Admin Approval mode. Note: Requires Windows 10 version 1709 and
later. |
| User Admin Approval Mode | Enables the administrator account to use Admin Approval mode. Note: Requires Windows 10 version 1709 and
later. |
| Virtualize File and Registry Write Failures to Per User Locations | Enables redirection of application write failures at runtime to a
specified user locations for both the file system and registry. Note: Requires Windows 10 version 1709 and
later. |
| Prevent Device Metadata from Network | Disables Windows devices from retrieving device metadata from the
internet. Note: This setting overrides the setting
in the Device Installation Settings dialog box. Note: Requires Windows 10 version 1809 and
later. |
| Allow Installation Of Matching Device Setup Classes | Specify a list of device setup GUIDs for driver packages that Windows
is permitted to install. Note: Requires Windows 10
version 1809 and later. |
| Prevent Installation Of Matching Device Setup Classes | Specify a list of device setup GUIDs for driver packages that Windows
is prevented from installing. Note: Requires Windows 10
version 1809 and later. |
| Prevent Camera Use | Disables the lock screen camera toggle switch in settings to prevent
the camera from being used on the lock screen. Note: Requires Windows 10 version 1803 and later. |
| Prevent Lock Screen Slide Show | Disables the lock screen slide show toggle switch in settings to
prevent the slide show from playing on the lock screen. Note: Requires Windows 10 version 1803 and
later. |
| Device Enumeration Policy | Configure the device enumeration policy to control the enumeration of
external DMA capable devices that are incompatible with DMA remapping,
device memory isolation, and sandboxing. Note: Requires
Windows 10 version 1809 and later. |
| System Guard Launch | Configure secure launch on the devices. Note: Requires Windows 10 version 1809 and later. |
| Credential Guard | Configure Credential Guard settings on the device. Note: Requires Windows 10 version 1709 and
later. Note: This policy is not supported
for Windows Pro Edition. |
| Virtualization Based Security | Enables virtualization based security. Note: Requires Windows 10 Enterprise build 16299 and later and Windows 11
Enterprise and Pro only. |
| Smart Screen in Shell | Tuns on Windows Defender Smart Screen for all the users. Note: Requires Windows 10 version 1703 and
later. |
| Prevent Override for Files in Shell | Prevents overwriting existing files with new files of the same
name. Note: Requires Windows 10 version 1703 and
later. |
Settings
| Configuration | Description |
|---|---|
| Allow Microsoft Accounts to be Optional | Enables users to sign in with an enterprise account instead of a
Microsoft account for Windows Store apps. Note: Requires Windows 10 version 1803 and later. |
| Data Execution Prevention for Explorer | Enables certain legacy plug-in applications to function without
terminating Explorer. Note: Requires Windows 10 version
1803 and later. |
| Heap Termination on Corruption | Enables certain legacy plug-in applications to function without
terminating Explorer immediately, although Explorer may still be terminated
later. Note: Requires Windows 10 version 1803 and
later. |
| Delete Browsing History on Exit | Enables the deletion of browsing history, including temporary internet
files, cookies, history, form data, and passwords upon exit. Note: Requires Windows 10 version 1709 and
later. |
| Enhanced Protected Mode | Enables Enhanced Protected Mode for zones where Protected Mode is
enabled. Note: Requires Windows 10 version 1703 and
later. |
| Fallback to SSL3 | Enables Internet Explorer to connect to sites using SSL 3.0 or lower
when TLS 1.0 or higher is unavailable. Note: Requires
Windows 10 version 1709 and later. |
| Suggested Sites | Enables the prevention of prompting users to activate Suggested
Sites. Note: Requires Windows 10 version 1703 and
later. |
| Consisted MIME Handling | Enables consistent MIME data handling for all received files in
Internet Explorer. Note: Requires Windows 10 version
1709 and later. |
| Bypass of Smart Screen Warnings | Disables users from bypassing Smart Screen Filter warnings. Note: Requires Windows 10 version 1703 and
later. |
| History Configuration | Disables users from setting the number of days Internet Explorer tracks
page views in the History List. Note: Requires Windows
10 version 1709 and later. |
| Delete User Visited Websites | Enables the reservation of the websites users have visited when they
select Delete. Note: Requires Windows 10 version 1709
and later. |
| Encryption Support | Disables support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS
1.2, Secure Sockets Layer (SSL) 2.0, and SSL 3.0 in the browser. Note: Requires Windows 10 version 1703 and
later. |
| Geolocation | Enables management of Geolocation support in the browser. Note: Requires Windows 10 version 1903 and
later. |
| InPrivate Browsing | Disables Internet Explorer from storing data about users' browsing
sessions. Note: Requires Windows 10 version 1709
and later. |
| Internet Explorer Application | Disables Internet Explorer 11 from launching as a standalone
browser. Note: Requires Windows Pro 10 and later or
Windows Enterprise 10 version 1903 and later. |
| Update Check | Disables Internet Explorer from checking for the latest browser version
and notifying users of new updates. Note: Requires
Windows 10 version 1703 and later. |
| Do Not Allow Users to Change Policies | Disables the custom level button and security level slider on the
Security tab in the Internet Options dialog box. Note: Requires Windows 10 version 1703 and later. |
| Security Settings Check | Disables the security settings check feature, which assesses Internet
Explorer security settings to identify potential risks. Note: Requires Windows 10 version 1709 and
later. |
| Maximum Application Log File Size | Set the maximum Application log file size in KB. Range 1024
–2147483647. Note: Requires Windows 10 version 1703
and later. |
| Maximum System Log File Size | Set the maximum System log file size in KB. Range 1024–2147483647. Note: Requires Windows 10 version 1703 and
later. |
| Maximum Security Log File Size | Set the maximum Security log file size in KB. Range
1024–2147483647. Note: Requires Windows 10 version
1703 and later. |
| Audit Credential Validation | Configure auditing of events generated by validation tests on user
account login credentials. Note: Requires Windows 10
version 1803 and later. |
| Audit Kerberos Authentication Service | Configure the generation of an audit event after a Kerberos
authentication TGT request. Note: Requires Windows 10
version 1803 and later. |
| Audit Account Lockout | Configure Group Membership Auditing in User Logon Tokens. Note: Requires Windows 10 version 1803 and
later. |
| Audit Group Membership | Configure auditing to capture events generated by each successful
login. If the group membership information cannot fit into a single security
audit event, multiple events are created. Note: Requires Windows 10 version 1803 and later. |
| Audit Logon | Configure auditing to capture events generated by user account login
attempts on the computer. Note: Requires Windows 10
version 1803 and later. |
| Audit Other Logon Logoff Events | Configure Audit logon and logoff events, including Terminal Services
sessions, workstation locks/unlocks, screen saver activity, and Kerberos
replay attack detection. Note: Requires Windows 10
version 1803 and later. |
| Audit Special Logon | Configure auditing for events generated by special logons, such as
those with administrator-equivalent privileges used to elevate processes,
and logons by members of special groups. Note: Requires
Windows 10 version 1803 and later. |
| Audit Security Group Management |
Configure auditing for events generated by changes to security groups,
such as when:
Note: Requires Windows 10 version 1803 and
later.
|
| Audit User Account Management | Configure auditing for events generated by attempts to change a user
account. Success audits record successful attempts, while failure audits
record unsuccessful attempts. Note: Requires Windows 10
version 1803 and later. |
| Audit PNP Activity | Configure auditing to capture events when Plug and Play detects an
external device. Note: Requires Windows 10 version 1803
and later. |
| Audit Process Creation | Configure auditing for events generated when a process is created or
starts. The audit also captures the name of the application or user that
created the process. Note: Requires Windows 10 version
1803 and later. |
| Audit Detailed File Share | Configure auditing to capture attempts to access files and folders on a
shared folder. Detailed File Share audit events include information about
the permissions used to grant or deny access. Note: Requires Windows 10 version 1803 and later. |
| Audit Other Object Access Events | Configure auditing to capture events generated by the management of
Task Scheduler jobs or COM+ objects. Note: Requires
Windows 10 version 1803 and later. |
| Audit Removable Storage | Configure auditing to capture user attempts to access file system
objects on a removable storage device. Audit events are generated for all
objects and all types of requested access. Note: Requires Windows 10 version 1803 and later. |
| Audit Authentication Policy Change |
Configure auditing to capture events generated by changes to the
authentication policy:
Note: Requires Windows 10 version 1803 and
later.
|
| Audit MPSSVC Rule Level Policy Change | Configure auditing to capture events generated by changes in policy
rules used by the Microsoft Protection Service (MPSSVC) for Windows Defender
Firewall. Note: Requires Windows 10 version 1803
and later. |
| Audit Other Policy Change Events |
Configure auditing to capture events generated by other security policy
changes not covered in the policy change category. This includes:
Note: Requires Windows 10 version 1803 and
later.
|
| Audit Policy Change |
Configure auditing to capture changes in security audit policy settings,
such as:
Note: Requires Windows 10 version 1803 and
later.
|
| Audit Sensitive Privilege Use |
Configure auditing to capture events generated when sensitive privileges
are used, such as:
Note: Requires Windows 10 version 1803 and
later.
|
| Audit Other System Events |
Configure auditing to capture events such as:
Note: Requires Windows 10 version 1803 and
later.
|
| Audit Security State Change |
Configure auditing to capture events generated by changes in the security
state of the computer, such as:
Note: Requires Windows 10 version 1803 and
later.
|
| Audit Security System Extension | Configure auditing to capture events related to security system
extensions or services such as when an authentication, notification, or
security package is loaded and registered with the Local Security Authority
(LSA). Note: Requires Windows 10 version 1803 and
later. |
| Audit System Integrity | Configure auditing to capture events that violate the integrity of the
security subsystem, such as events that could not be written to the event
log due to a problem with the auditing system. Note: Requires Windows 10 version 1803 and later. |