Windows 11 – Security Baseline October 2021
Shortly after the release of Windows 11 at the beginning of October, the security baseline from Microsoft is now also coming. This contains recommendations on how to configure Windows 11 to secure it within the current threats based on a baseline. However, this is only a start, because a special look should also be taken at data protection, information security, content security and compatibility.
Microsoft Blogpost Information
Script scanning was a parity gap we had between Group Policy and MDM. Since this gap is now closed we are enforcing the enablement of script scanning (Windows Components\Microsoft Defender Antivirus\Real-time Protection\Turn on script-scanning).
Restrict Driver Installations
In July a Knowledge Base article and subsequent patch was released for CVE-2021-34527, more commonly known as “PrintNightmare”. We have added a new setting to the MS Security Guide custom administrative template for SecGuide.admx/l (Administrative Templates\MS Security Guide\Limits print driver installation to Administrators) and enforced the enablement.
Microsoft Edge Legacy
Microsoft Edge Legacy (EdgeHTML-based) reached end of support on March 9, 2021 and is not part of Windows 11. Therefore, the settings that supported it have been removed from the baseline. Going forward, please use the new Microsoft Edge (Chromium-based) baseline, which is on a separate release cadence and available as part of the Microsoft Security Compliance Toolkit.
While you are enabling the Microsoft Security Baseline for Windows 11 (and/or Windows 10, and/or Windows Server 2022/2019/2016), make sure to enable Microsoft Defender for Endpoint’s “Tamper Protection” to add a layer of protection against Human Operated Ransomware.
Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and customize / implement as appropriate.