Security baseline for Windows 10, version 21H2

Published Dec 20 2021 01:00 PM 18.1K Views
Microsoft

We are pleased to announce the release of the Windows 10, version 21H2 security baseline package!

 

Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and customize / implement as appropriate.

 

This Windows 10 feature update brings very few new policy settings. One setting has been added for this release for printer driver installation restrictions (which was also added to the Windows 11 release). Additionally, all Microsoft Edge Legacy settings have been removed.

 

Restrict Driver Installations

In July a Knowledge Base article and subsequent patch was released for CVE-2021-34527, more commonly known as “PrintNightmare”. We have added a new setting to the MS Security Guide (Administrative Templates\Printers\Limits print driver installation to Administrators) and enforced the enablement.  Note this setting was previously a custom setting in SecGuide.admx/l and has since moved inbox.

 

Microsoft Edge Legacy

Microsoft Edge Legacy (EdgeHTML-based) reached end of support on March 9, 2021 and is not part of Windows 10 21H2. Therefore, the settings that supported it have been removed from the baseline. Going forward, please use the new Microsoft Edge (Chromium-based) baseline, which is on a separate release cadence and available as part of the Microsoft Security Compliance Toolkit.

 

Tamper Protection

While you are enabling the Microsoft Security Baseline, make sure to enable Microsoft Defender for Endpoint's "Tamper Protection" to add a layer of protection against Human Operated Ransomware.


As a reminder, our security baselines for the endpoint also include Microsoft 365 Apps for Enterprise, which we recently released, as well as Microsoft Edge and Windows Update.

 

Please let us know your thoughts by commenting on this post or via the Security Baseline Community.

6 Comments
%3CLINGO-SUB%20id%3D%22lingo-sub-3042703%22%20slang%3D%22en-US%22%3ESecurity%20baseline%20for%20Windows%2010%2C%20version%2021H2%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3042703%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20pleased%20to%20announce%20the%20release%20of%20the%20Windows%2010%2C%20version%2021H2%20security%20baseline%20package!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20download%20the%20content%20from%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fdownload%2Fdetails.aspx%3Fid%3D55319%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Security%20Compliance%20Toolkit%3C%2FA%3E%2C%20test%20the%20recommended%20configurations%2C%20and%20customize%20%2F%20implement%20as%20appropriate.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThis%20Windows%2010%20feature%20update%20brings%20very%20few%20new%20policy%20settings.%20One%20setting%20has%20been%20added%20for%20this%20release%20for%20printer%20driver%20installation%20restrictions%20(which%20was%20also%20added%20to%20the%20Windows%2011%20release).%20Additionally%2C%20all%20Microsoft%20Edge%20Legacy%20settings%20have%20been%20removed.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ERestrict%20Driver%20Installations%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EIn%20July%20a%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fkb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EKnowledge%20Base%20article%3C%2FA%3E%26nbsp%3Band%20subsequent%20patch%20was%20released%20for%20CVE-2021-34527%2C%20more%20commonly%20known%20as%20%E2%80%9CPrintNightmare%E2%80%9D.%20We%20have%20added%20a%20new%20setting%20to%20the%20MS%20Security%20Guide%20(%3CEM%3EAdministrative%20Templates%5CPrinters%5CLimits%20print%20driver%20installation%20to%20Administrators%3C%2FEM%3E)%20and%20enforced%20the%20enablement.%26nbsp%3B%20Note%20this%20setting%20was%20previously%20a%20custom%20setting%20in%20SecGuide.admx%2Fl%20and%20has%20since%20moved%20inbox.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EMicrosoft%20Edge%20Legacy%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EMicrosoft%20Edge%20Legacy%20(EdgeHTML-based)%20reached%20end%20of%20support%20on%20March%209%2C%202021%20and%20is%20not%20part%20of%20Windows%2010%2021H2.%20Therefore%2C%20the%20settings%20that%20supported%20it%20have%20been%20removed%20from%20the%20baseline.%20Going%20forward%2C%20please%20use%20the%20new%20Microsoft%20Edge%20(Chromium-based)%20baseline%2C%20which%20is%20on%20a%20separate%20release%20cadence%20and%20available%20as%20part%20of%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fwww.microsoft.com%2Fdownload%2Fdetails.aspx%3Fid%3D55319%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EMicrosoft%20Security%20Compliance%20Toolkit%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3ETamper%20Protection%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3EWhile%20you%20are%20enabling%20the%20Microsoft%20Security%20Baseline%2C%20make%20sure%20to%20enable%20Microsoft%20Defender%20for%20Endpoint's%20%22%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmicrosoft-365%2Fsecurity%2Fdefender-endpoint%2Fprevent-changes-to-security-settings-with-tamper-protection%3Fview%3Do365-worldwide%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ETamper%20Protection%3C%2FA%3E%22%20to%20add%20a%20layer%20of%20protection%20against%20Human%20Operated%20Ransomware.%3C%2FP%3E%0A%3CP%3E%3CBR%20%2F%3EAs%20a%20reminder%2C%20our%20security%20baselines%20for%20the%20endpoint%20also%20include%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-security-baselines%2Fsecurity-baseline-for-microsoft-365-apps-for-enterprise-v2104%2Fba-p%2F2307695%22%20target%3D%22_blank%22%3EMicrosoft%20365%20Apps%20for%20Enterprise%3C%2FA%3E%2C%20which%20we%20recently%20released%2C%20as%20well%20as%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-security-baselines%2Fsecurity-baseline-for-microsoft-edge-version-90%2Fba-p%2F2275943%22%20target%3D%22_blank%22%3EMicrosoft%20Edge%3C%2FA%3E%20and%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-security-baselines%2Fwindows-update-baseline-joins-the-security-compliance-toolkit%2Fba-p%2F2098482%22%20target%3D%22_blank%22%3EWindows%20Update%3C%2FA%3E.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EPlease%20let%20us%20know%20your%20thoughts%20by%20commenting%20on%20this%20post%20or%20via%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FMicrosoft-Security-Baselines%2Fbd-p%2FSecurity-Baselines%22%20target%3D%22_blank%22%3ESecurity%20Baseline%20Community%3C%2FA%3E.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-3042703%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20are%20pleased%20to%20announce%20the%20release%20of%20the%20Windows%2010%2C%20version%2021H2%20security%20baseline%20package!%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%221021H2.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F335136i421BBA302E113C75%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%221021H2.jpg%22%20alt%3D%221021H2.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3042703%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECompliance%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EFinal%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20Baseline%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%20Compliance%20Toolkit%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EUpdates%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3043929%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20baseline%20for%20Windows%2010%2C%20version%2021H2%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3043929%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1256466%22%20target%3D%22_blank%22%3E%40w1nd0ws%3C%2FA%3E%26nbsp%3Bthe%20script%20is%20fine%2C%20the%20section%20you%20are%20referring%20to%20is%20an%20example%20output%20when%20you%20run%20the%20actual%20script.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3043473%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20baseline%20for%20Windows%2010%2C%20version%2021H2%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3043473%22%20slang%3D%22en-US%22%3E%3CP%3EHi.%20This%20Windows%2010%20version%2021H2%20Security%20Baseline%20archive%20c%3CSPAN%20class%3D%22%22%3E%3CSPAN%20class%3D%22%22%3E%3CSPAN%3Eontains%20incorrect%20file%20%22MapGuidsToGpoNames.ps1%22.%20%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3CSPAN%20class%3D%22%22%3E%3CSPAN%20class%3D%22%22%3E%3CSPAN%3EHe%20is%20from%20Windows%202004%20and%20have%20others%20values.%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3051657%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20baseline%20for%20Windows%2010%2C%20version%2021H2%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3051657%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F272514%22%20target%3D%22_blank%22%3E%40Rick_Munck%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EThe%20naming%20of%20the%20Excel%20worksheet%20in%20the%20Windows%2010%20version%2021H2%20Security%20Baseline.zip%20is%20maybe%20wrong%20%3B)%3C%2Fimg%3E%3CBR%20%2F%3EFINAL-MS%20Security%20Baseline%20Windows%2010%20%3CSTRONG%3Ev21H1%3C%2FSTRONG%3E.xlsx%20in%20location%3A%3CBR%20%2F%3EWindows-10-v21H2-Security-Baseline%2FDocumentation%2F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3054317%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20baseline%20for%20Windows%2010%2C%20version%2021H2%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3054317%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1059077%22%20target%3D%22_blank%22%3E%40DST%3C%2FA%3E%26nbsp%3Blooks%20like%20we%20missed%20that%2C%20thanks%20for%20the%20catch!%26nbsp%3B%20We%20will%20adjust%20on%20the%20next%20release%2C%20the%20good%20news%20is%20the%20content%20is%20accurate.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3054393%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20baseline%20for%20Windows%2010%2C%20version%2021H2%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3054393%22%20slang%3D%22en-US%22%3E%3CP%3EThank%20you%20for%20sharing%2C%20you%20mentioned%20about%20the%20Tamper%20protection%20but%20as%20you%20may%20know%20it%20is%26nbsp%3B%3CSTRONG%3Enot%26nbsp%3B%3C%2FSTRONG%3Epossible%20to%20manage%20it%20with%20Group%20Policy%20and%20Configuration%20Manager%20and%20it%20is%20possible%20to%20manage%20it%20only%20using%20Cloud%20solutions%20like%20MEM.%20I%20know%20it%20is%20a%20behavior%20by%20design%20but%20it%20would%20have%20been%20nice%20if%20we%20could%20manage%20it%20using%20GPO%20and%20Configuration%20Manager%20too.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3056403%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20baseline%20for%20Windows%2010%2C%20version%2021H2%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3056403%22%20slang%3D%22en-US%22%3E%3CP%3EDoes%20this%20apply%20to%20Windows%2010%20IoT%20Enterprise%20LTSC%202021%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Co-Authors
Version history
Last update:
‎Dec 20 2021 01:00 PM
Updated by:
We support Ukraine and condemn war. Push Russian government to act against war. Be brave, vocal and show your support to Ukraine. Follow the latest news HERE