Microsoft Security Baseline–Configuration Details

The Microsoft Security Baseline (MSB) configurations enforce secure and complaint configurations, ensuring they meet Microsoft's security standards to protect your Windows Modern devices.

Note: The default configuration values are in accordance with Microsoft's recommended default baseline settings (see Windows Security Baseline Settings).

Experience

Configuration Description
Allow Cortana Above Lock Enables users to interact with Cortana via speech while the system is locked.
Note: Requires Windows 10 version 1607 and later.
Allow Toasts Enables toast notifications to appear on the device lock screen.
Note: Requires Windows 10 version 1607 and later.
Windows Ink Workspace Enables Windows Ink Workspace support for Windows Modern devices.
Note: Requires Windows 10 version 1607 and later.
Suggested Apps in Windows Ink Workspace Enables suggested applications in Windows Ink Workspace.
Note: Requires Windows 10 version 1607 and later.
Windows Spotlight Enable to turn off Windows Spotlight on the lock screen, Windows Tips, Microsoft consumer features, and other related functionalities.
Note: Requires Windows 10 version 1607 and later.
Note: This policy is not supported in Windows Pro Edition.
Windows Spotlight on Action Center Enable to turn off Windows Spotlight notifications on the Action Center.
Note: Requires Windows 10 version 1703 and later.
Note: This policy is not supported in Windows Pro Edition.
Windows Spotlight on Settings Enable to turn off suggestions in the Settings app.
Note: Requires Windows 10 version 1803 and later.
Note: This policy is not supported in Windows Pro Edition.
Windows Spotlight Windows Welcome Experience Enable to turn off the Windows Spotlight Windows Welcome Experience feature.
Note: Requires Windows 10 version 1703 and later.
Note: This policy is not supported in Windows Pro Edition.
Windows Spotlight on Lock Screen Enables suggested apps in Windows Ink Workspace.
Note: Requires Windows 10 version 1607 and later.
Note: This policy is not supported in Windows Pro Edition.
Browser Syncing by Users Disables syncing for the "browser" group and prevents users from enabling the "Sync your settings" toggle in the settings.
Note: Requires Windows 10 version 1809 and later.
Note: This policy is not supported in Windows Pro Edition.
Auto Play for Non-volume Devices Disables AutoPlay for MTP devices, such as cameras and phones.
Note: Requires Windows 10 version 1809 and later.
Default Auto Run Behavior Enables administrators to change the default Auto Run behavior for Windows Vista and later versions.
Note: Requires Windows 10 version 1703 and later.
Auto Run Commands Launch Behavior Configure the default behavior of Auto Run commands.
  • Do not execute
  • Automatically execute
Note: Requires Windows 10 version 1703 and late
Customized Warning Messages Enable to override the default message with a warning message.
Note: Requires Windows 10 version 1703 and later.
Warning Message Before Sharing Control Enter a warning message to display before starting the screen share.
Warning Message Before Connecting Enter a warning message to display before starting the connection.
Sessions Logging Enables the generation of log files, which are saved in the user's Documents folder under Remote Assistance.
Note: Requires Windows 10 version 1703 and later.
Solicited Remote Assistance Enables users to request help via email or file transfer and use instant messaging programs to establish connections.
Note: Requires Windows 10 version 1703 and later.
Permit Remote Control Specify the permissions that helpers have for remote control access:
  • Allow helpers to only view the computer
  • Allow helpers to remotely control the computer
Maximum Ticket Time Specify the duration for which a remote assistance invitation, created via email or file transfer, can remain open.
Method for Sending Email Invitations Select a method for sending remote assistance invitations:
  • Simple MAPI
  • Mailto
Helpers Enter the helper details.
Client Connection Encryption Level Specify the encryption method to use for communications between clients and RD Session Host servers during remote connections. Select an encryption level:
  • Low
  • Client Compatible
  • High (default)
Note: Requires Windows 10 version 1703 and later.
Block Drive Redirection Prevents the mapping of client drives during a Remote Desktop Services session.
Note: Requires Windows 10 version 1703 and later.
Block Password Saving Disables the password saving checkbox in Remote Desktop Connection to prevent users from saving passwords.
Note: Requires Windows 10 version 1703 and later.
Prompt for Password Upon Connection Enable to require Remote Desktop Services to prompt the client for a password every time a connection is established.
Note: Requires Windows 10 version 1703 and later.
Secure RPC Communication Blocks unsecured communication with untrusted clients, ensuring Remote Desktop Services only accepts requests from RPC clients that support secure requests.
Note: Requires Windows 10 version 1703 and later.
Client Digest Authentication Disables Digest Authentication for the Windows Remote Management (WinRM) client.
Note: Requires Windows 10 version 1703 and later.
RunAs Credentials Disables sending of RunAsUser or RunAsPassword configuration values for any plug-ins. If a plug-in was already set, the RunAsPassword value is erased from the credential store.
Note: Requires Windows 10 version 1703 and later.
Client Basic Authentication Enables the WinRM service to accept basic authentication of a remote client.
Note: Requires Windows 10 version 1709 and later.
Basic Authentication Disables unsecured communication with untrusted clients, ensuring Remote Desktop Services only accepts requests from RPC clients that support secure requests.
Note: Requires Windows 10 version 1703 and later.
Client Unencrypted Traffic Enables WinRM client to send or receive only encrypted messages over the network.
Note: Requires Windows 10 version 1709 and later.
Unauthenticated RPC Clients Enables the RPC server runtime to block unauthenticated RPC clients from connecting to RPC servers on the machine.
Note: Requires Windows 10 version 1703 and later.
Runtime Unauthenticated Client Restriction to Apply Specify the restriction level for RPC clients:
  • None
  • Authenticated
  • Authenticated without exceptions

Network & System

Configuration Description
Block Connection with Non-Domain Networks Disables simultaneous connections to both domain-based and non-domain-based networks.
Note: Requires Windows 10 version 1803 and later.
Hardened UNC Path Enables secure access to UNC paths by preventing unauthorized connections.
Note: Requires Windows 10 version 1703 and later.
UNC Path Specify hardened network paths to enhance security.
IPv6 Source Routing Protection Level Disables additional protection and allows source routed packages. Choose the protection level from:
  • No Additional Protection
  • Medium Protection
  • Highest Protection
Note: Requires Windows 10 version 1803 and later.
IP Source Routing Protection Level Disables additional protection and allows source routed packages. Choose the protection level from:
  • No Additional Protection
  • Medium Protection
  • Highest Protection
Note: Requires Windows 10 version 1803 and later.
Ignore NetBIOS Name Release Requests Enables the computer to ignore NetBIOS name release requests from all sources except WINS servers.
Note: Requires Windows 10 version 1803 and later.
ICMP Redirects to Override OSPF Generated Routes Enables ICMP redirects to take precedence over OSPF generated routes.
Note: Requires Windows 10 version 1803 and later.
PowerShell Script Block Logging Enables Windows PowerShell to log the processing of commands, script blocks, functions, and scripts, whether invoked interactively or through automation.
Note: Requires Windows 10 version 1803 and later.
Log Script Block Invocation Start/ Stop Events Configures start and stop events for script logging.
Remote Host Allows Delegation of Non Exportable Credentials Enables support for Restricted Admin mode or Remote Credential Guard.
Note: Requires Windows 10 version 1803 and later.
Password Reveal Hides the password reveal button after the user types a password.
Note: Requires Windows 10 version 1703 and later.
Enumerate Administrators Displays all local administrator accounts on the PC, allowing the user to select one and enter the correct password.
Note: Requires Windows 10 version 1703 and later.
Hibernate Enables hibernation on the machine.
Note: Requires Windows 11 version 21H2 and later.
Allow Standby States when Sleeping on Battery Enables Windows to use standby states for putting the computer into a sleep state.
Note: Requires Windows 10 version 1803 and later.
Require Password on Wake while on Battery Enable to prompt the user for a password when the system resumes from sleep.
Note: Requires Windows 10 version 1703 and later.
Display Off Timeout on Battery Set the period of inactivity before Windows turns off the display when running on battery power. Specify the Idle Time Allowed before Display Turns Off from 0–4294967295 seconds.
Note: Requires Windows 10 version 1709 and later.
Display Off Timeout Plugged In Set the period of inactivity before Windows turns off the display when plugged in. Specify the Idle Time Allowed before Display Turns Off from 0–4294967295 seconds.
Note: Requires Windows 10 version 1709 and later.
Energy Saver Battery Threshold on Battery Set the battery charge level to activate Energy Saver when running on battery power. Set Energy Saver Battery Threshold on Battery from 0–100.
Note: Requires Windows 10 version 1903 and later.
Energy Saver Battery Threshold Plugged In Set the battery charge level to activate Energy Saver when plugged in. Set Energy Saver Battery Threshold Plugged In from 0–100.
Note: Requires Windows 10 version 1903 and later.
Hibernate Timeout on Battery Set the period of inactivity before Windows transitions the system to hibernate when running on battery power. Set Idle Time Allowed before Hibernating from 0–4294967295 seconds.
Note: Requires Windows 10 version 1709 and later.
Hibernate Timeout Plugged In Set the period of inactivity before Windows transitions the system to hibernate when plugged in. Set Idle Time Allowed before Hibernating from 0–4294967295 seconds.
Note: Requires Windows 10 version 1709 and later.

Security

Configuration Description
Allow Cloud Search Enables Search and Cortana to access and retrieve information from cloud services such as OneDrive and SharePoint.
Note: Requires Windows 10 version 1709 and later.
Allow Find My Files Enables Find My Files on the machine.
Note: Requires Windows 10 version 1903 and later.
Allow Indexing Encrypted Stores or Items Enables indexing to attempt the decryption and indexing of content.
Note: Requires Windows 10 version 1607 and later.
Do Not Use Web Results Disables the display of web results when a user performs a query in a search and prevents the search highlights from appearing in the search box.
Note: Requires Windows 10 version 1803 and later.
Note: This policy is not supported in Windows Pro Edition.
Configure SMBV1 Client Driver Enables the configuration of the SMBv1 Client driver.
Note: Requires Windows 10 version 1803 and later.
Client Driver Configuration Select the SMBv1 configuration type:
  • Automatic Start
  • Manual Start
  • Disable Driver
Configure SMBV1 Server Enables the configuration of server-side processing of the SMBv1 protocol.
Note: Requires Windows 10 version 1803 and later.
Apply UAC Restrictions to Local Accounts on Network Logon Enables the application of UAC token filtering to local accounts during network logins.
Note: Requires Windows 10 version 1803 and later.
Structured Exception Handling Overwrite Protection Enables the enforcement of Structured Exception Handling Overwrite Protection.
Note: Requires Windows 10 version 1803 and later.
Digest Authentication Enables the use of Digest authentication by the WinRM client.
Note: Requires Windows 10 version 1803 and later.
Block Remote Logon with Blank Password Enable to restrict local accounts with blank passwords to console logins only.
Note: Requires Windows 10 version 1803 and later.
Device Inactivity Time Before Suspending Session Specify the duration of continuous idle time in a Server Message Block (SMB) session before suspending due to inactivity. Range 0–99999.
Smart Card Removal Behavior Specify the behavior when a logged in user's smart card is removed from the smart card reader:
  • No Action
  • Lock Workstation
  • Force Logoff
  • Disconnect, if in a Remote Desktop Services Session
Note: Requires Windows 10 version 1803 and later.
Require Client to Always Digitally Sign Communications Disables a Microsoft network client from communicating with a Microsoft network server unless the server agrees to perform SMB packet signing.
Note: Requires Windows 10 version 1809 and later.
Require Server to Always Digitally Signing Communication Enables a Microsoft network client to request SMB packet signing from the server during session setup.
Note: Requires Windows 10 version 1803 and later.
Prevent Clients From Sending Unencrypted Passwords to Third Party SMB Providers Enables the Server Message Block (SMB) redirector to send plain-text passwords to non-Microsoft SMB servers that do not support password encryption during authentication.
Note: Requires Windows 10 version 1803 and later.
Anonymous Enumeration of SAM Accounts Disables the enumeration of SAM accounts by replacing 'Everyone' with 'Authenticated Users' in the security permissions for resources.
Note: Requires Windows 10 version 1803 and later.
Anonymous Enumeration of SAM Accounts and Shares Disables the enumeration of SAM accounts and shares.
Note: Requires Windows 10 version 1803 and later.
Anonymous Access to Named Pipes and Shares Disables anonymous access to shares and pipes.
Note: Requires Windows 10 version 1803 and later.
Remote Calls to Security Accounts Manager Disables remote RPC connections to SAM.
Note: Requires Windows 10 version 1709 and later.
Network Security Accounts Enter the Network Security Account details.
Network Security LAN Manager Authentication Level Configure the security setting to specify the challenge/response authentication protocol used for network logins.
Note: Requires Windows 10 version 1803 and later.
Minimum Session Security for NTLM SSP Based Clients Sets the minimum session security for NTLM SSP based clients.
Note: Requires Windows 10 version 1809 and later.
Minimum Session Security for NTLM SSP Based Servers Sets the minimum session security for NTLM SSP based servers.
Note: Requires Windows 10 version 1803 and later.
Administrator Elevation Prompt Behavior Set the behavior of the elevation prompt for administrator.
Note: Requires Windows 10 version 1709 and later.
Standard User Elevation Prompt Behavior Set the behavior of the elevation prompt for standard users.
Note: Requires Windows 10 version 1709 and later.
Detect Application Installations and Prompt for Elevation Enables prompting the user to enter an administrative username and password when detecting an application installation package that requires elevation of privileges.
Note: Requires Windows 10 version 1709 and later.
Only Allow UI Access Applications for Secure Locations Enables applications to run with UI Access integrity only if it resides in a secure location within the file system.
Note: Requires Windows 10 version 1709 and later.
Require Admin Approval Mode for Administrators Enables the administrator account and all other users who are members of the Administrators group to run in Admin Approval mode.
Note: Requires Windows 10 version 1709 and later.
User Admin Approval Mode Enables the administrator account to use Admin Approval mode.
Note: Requires Windows 10 version 1709 and later.
Virtualize File and Registry Write Failures to Per User Locations Enables redirection of application write failures at runtime to a specified user locations for both the file system and registry.
Note: Requires Windows 10 version 1709 and later.
Prevent Device Metadata from Network Disables Windows devices from retrieving device metadata from the internet.
Note: This setting overrides the setting in the Device Installation Settings dialog box.
Note: Requires Windows 10 version 1809 and later.
Allow Installation Of Matching Device Setup Classes Specify a list of device setup GUIDs for driver packages that Windows is permitted to install.
Note: Requires Windows 10 version 1809 and later.
Prevent Installation Of Matching Device Setup Classes Specify a list of device setup GUIDs for driver packages that Windows is prevented from installing.
Note: Requires Windows 10 version 1809 and later.
Prevent Camera Use Disables the lock screen camera toggle switch in settings to prevent the camera from being used on the lock screen.
Note: Requires Windows 10 version 1803 and later.
Prevent Lock Screen Slide Show Disables the lock screen slide show toggle switch in settings to prevent the slide show from playing on the lock screen.
Note: Requires Windows 10 version 1803 and later.
Device Enumeration Policy Configure the device enumeration policy to control the enumeration of external DMA capable devices that are incompatible with DMA remapping, device memory isolation, and sandboxing.
Note: Requires Windows 10 version 1809 and later.
System Guard Launch Configure secure launch on the devices.
Note: Requires Windows 10 version 1809 and later.
Credential Guard Configure Credential Guard settings on the device.
Note: Requires Windows 10 version 1709 and later.
Note: This policy is not supported for Windows Pro Edition.
Virtualization Based Security Enables virtualization based security.
Note: Requires Windows 10 Enterprise build 16299 and later and Windows 11 Enterprise and Pro only.
Smart Screen in Shell Tuns on Windows Defender Smart Screen for all the users.
Note: Requires Windows 10 version 1703 and later.
Prevent Override for Files in Shell Prevents overwriting existing files with new files of the same name.
Note: Requires Windows 10 version 1703 and later.

Settings

Configuration Description
Allow Microsoft Accounts to be Optional Enables users to sign in with an enterprise account instead of a Microsoft account for Windows Store apps.
Note: Requires Windows 10 version 1803 and later.
Data Execution Prevention for Explorer Enables certain legacy plug-in applications to function without terminating Explorer.
Note: Requires Windows 10 version 1803 and later.
Heap Termination on Corruption Enables certain legacy plug-in applications to function without terminating Explorer immediately, although Explorer may still be terminated later.
Note: Requires Windows 10 version 1803 and later.
Delete Browsing History on Exit Enables the deletion of browsing history, including temporary internet files, cookies, history, form data, and passwords upon exit.
Note: Requires Windows 10 version 1709 and later.
Enhanced Protected Mode Enables Enhanced Protected Mode for zones where Protected Mode is enabled.
Note: Requires Windows 10 version 1703 and later.
Fallback to SSL3 Enables Internet Explorer to connect to sites using SSL 3.0 or lower when TLS 1.0 or higher is unavailable.
Note: Requires Windows 10 version 1709 and later.
Suggested Sites Enables the prevention of prompting users to activate Suggested Sites.
Note: Requires Windows 10 version 1703 and later.
Consisted MIME Handling Enables consistent MIME data handling for all received files in Internet Explorer.
Note: Requires Windows 10 version 1709 and later.
Bypass of Smart Screen Warnings Disables users from bypassing Smart Screen Filter warnings.
Note: Requires Windows 10 version 1703 and later.
History Configuration Disables users from setting the number of days Internet Explorer tracks page views in the History List.
Note: Requires Windows 10 version 1709 and later.
Delete User Visited Websites Enables the reservation of the websites users have visited when they select Delete.
Note: Requires Windows 10 version 1709 and later.
Encryption Support Disables support for Transport Layer Security (TLS) 1.0, TLS 1.1, TLS 1.2, Secure Sockets Layer (SSL) 2.0, and SSL 3.0 in the browser.
Note: Requires Windows 10 version 1703 and later.
Geolocation Enables management of Geolocation support in the browser.
Note: Requires Windows 10 version 1903 and later.
InPrivate Browsing Disables Internet Explorer from storing data about users' browsing sessions.
Note: Requires Windows 10 version 1709 and later.
Internet Explorer Application Disables Internet Explorer 11 from launching as a standalone browser.
Note: Requires Windows Pro 10 and later or Windows Enterprise 10 version 1903 and later.
Update Check Disables Internet Explorer from checking for the latest browser version and notifying users of new updates.
Note: Requires Windows 10 version 1703 and later.
Do Not Allow Users to Change Policies Disables the custom level button and security level slider on the Security tab in the Internet Options dialog box.
Note: Requires Windows 10 version 1703 and later.
Security Settings Check Disables the security settings check feature, which assesses Internet Explorer security settings to identify potential risks.
Note: Requires Windows 10 version 1709 and later.
Maximum Application Log File Size Set the maximum Application log file size in KB. Range 1024 –2147483647.
Note: Requires Windows 10 version 1703 and later.
Maximum System Log File Size Set the maximum System log file size in KB. Range 1024–2147483647.
Note: Requires Windows 10 version 1703 and later.
Maximum Security Log File Size Set the maximum Security log file size in KB. Range 1024–2147483647.
Note: Requires Windows 10 version 1703 and later.
Audit Credential Validation Configure auditing of events generated by validation tests on user account login credentials.
Note: Requires Windows 10 version 1803 and later.
Audit Kerberos Authentication Service Configure the generation of an audit event after a Kerberos authentication TGT request.
Note: Requires Windows 10 version 1803 and later.
Audit Account Lockout Configure Group Membership Auditing in User Logon Tokens.
Note: Requires Windows 10 version 1803 and later.
Audit Group Membership Configure auditing to capture events generated by each successful login. If the group membership information cannot fit into a single security audit event, multiple events are created.
Note: Requires Windows 10 version 1803 and later.
Audit Logon Configure auditing to capture events generated by user account login attempts on the computer.
Note: Requires Windows 10 version 1803 and later.
Audit Other Logon Logoff Events Configure Audit logon and logoff events, including Terminal Services sessions, workstation locks/unlocks, screen saver activity, and Kerberos replay attack detection.
Note: Requires Windows 10 version 1803 and later.
Audit Special Logon Configure auditing for events generated by special logons, such as those with administrator-equivalent privileges used to elevate processes, and logons by members of special groups.
Note: Requires Windows 10 version 1803 and later.
Audit Security Group Management
Configure auditing for events generated by changes to security groups, such as when:
  • A security group is created, changed, or deleted
  • A member is added or removed
  • The group type changes
Note: Requires Windows 10 version 1803 and later.
Audit User Account Management Configure auditing for events generated by attempts to change a user account. Success audits record successful attempts, while failure audits record unsuccessful attempts.
Note: Requires Windows 10 version 1803 and later.
Audit PNP Activity Configure auditing to capture events when Plug and Play detects an external device.
Note: Requires Windows 10 version 1803 and later.
Audit Process Creation Configure auditing for events generated when a process is created or starts. The audit also captures the name of the application or user that created the process.
Note: Requires Windows 10 version 1803 and later.
Audit Detailed File Share Configure auditing to capture attempts to access files and folders on a shared folder. Detailed File Share audit events include information about the permissions used to grant or deny access.
Note: Requires Windows 10 version 1803 and later.
Audit Other Object Access Events Configure auditing to capture events generated by the management of Task Scheduler jobs or COM+ objects.
Note: Requires Windows 10 version 1803 and later.
Audit Removable Storage Configure auditing to capture user attempts to access file system objects on a removable storage device. Audit events are generated for all objects and all types of requested access.
Note: Requires Windows 10 version 1803 and later.
Audit Authentication Policy Change
Configure auditing to capture events generated by changes to the authentication policy:
  • The creation, modification, and removal of forest and domain trusts
  • Changes to the Kerberos policy.
Note: Requires Windows 10 version 1803 and later.
Audit MPSSVC Rule Level Policy Change Configure auditing to capture events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC) for Windows Defender Firewall.
Note: Requires Windows 10 version 1803 and later.
Audit Other Policy Change Events
Configure auditing to capture events generated by other security policy changes not covered in the policy change category. This includes:
  • Trusted Platform Module (TPM) configuration changes
  • Kernel-mode cryptographic self-tests
  • Cryptographic context operations
Note: Requires Windows 10 version 1803 and later.
Audit Policy Change
Configure auditing to capture changes in security audit policy settings, such as:
  • Setting permissions and audit settings on the Audit Policy object
  • Changes to system audit policy
Note: Requires Windows 10 version 1803 and later.
Audit Sensitive Privilege Use
Configure auditing to capture events generated when sensitive privileges are used, such as:
  • Privileged services called to back up files and directories
  • Creating a token object
  • Debugging programs
Note: Requires Windows 10 version 1803 and later.
Audit Other System Events
Configure auditing to capture events such as:
  • The startup and shutdown of Windows Firewall services and drivers
  • Security policy processing by the Windows Firewall service
  • Migration operations
Note: Requires Windows 10 version 1803 and later.
Audit Security State Change
Configure auditing to capture events generated by changes in the security state of the computer, such as:
  • Startup and shutdown
  • Changes to system time
  • Recovering the system from CrashOnAuditFail
Note: Requires Windows 10 version 1803 and later.
Audit Security System Extension Configure auditing to capture events related to security system extensions or services such as when an authentication, notification, or security package is loaded and registered with the Local Security Authority (LSA).
Note: Requires Windows 10 version 1803 and later.
Audit System Integrity Configure auditing to capture events that violate the integrity of the security subsystem, such as events that could not be written to the event log due to a problem with the auditing system.
Note: Requires Windows 10 version 1803 and later.