Windows 10

This guidance has been updated to cover the 1809 “October 2018 Update” of Windows 10 Enterprise. It builds on the previous 1803 “April 2018 Update” guidance.

Testing was performed on a Windows Hardware Certified device, running Windows 10 Enterprise. The hardware was a Dell Latitude E7490, managed with Active Directory on Server 2019. This guidance is not applicable to Windows devices managed via an MDM or Windows To Go. We have separate guidance on how to configure devices with MDM.

It’s important to remember that this guidance has been conceived as a way to satisfy the 12 End User Device Security Principles. As such, it consists of recommendations and should not be seen as a set of mandatory instructions requiring no further thought.

Risk owners and administrators should agree a configuration which balances business requirements, usability and security.

Risk owners’ summary

We recommend the following architectural choices for Windows 10:

All data should be routed over a secure enterprise VPN to ensure the confidentiality and integrity of the traffic. This also allows the devices, and data on them, to be protected by enterprise protective monitoring solutions.

Installation of arbitrary third-party applications by users is not permitted on the device. Applications should be authorized by an administrator and deployed via a trusted mechanism.
Most users should have accounts with no administrative privileges. Users that require administrative privileges should use a separate unprivileged account for email and web browsing. Administrator accounts should have a unique strong password per device.

When configured in this way, risk owners should be aware of the following technical risks associated with this platform:

Associated security principle	Explanation of risks
Secure boot	Windows 10 can support secure boot, but is dependent on supported and correctly configured hardware

Administrators’ deployment guide

Overview

Security principle	Explanation
Assured data-in-transit protection	Use the Windows 10 Built-In VPN Client configured as per customization guide. Configure the built-in Windows firewall to block outbound connections when the VPN is not active. An example firewall profile is provided in the Firewall configuration section. Use certificates for user or machine credentials. We recommend that Windows Key Attestation or Windows Hello for Business should be used to bind these credentials to the device’s hardware. Alternatively, use a third-party, correctly configured, CPA Foundation grade VPN app which makes use of the UWP (Universal Windows Platform) VPN plug-in platform.
Assured data-at-rest protection	Use one of the following configurations to provide full volume encryption: · BitLocker with a TPM and PIN configured in alignment with the BitLocker configuration settings. · An independently assured CPA Foundation Grade, Data at Rest encryption product that supports UEFI and Windows Secure Boot, configured in alignment with the security procedures for that product. If using BitLocker, deploy the configuration settings before encryption is started. Device Encryption introduced for Connected Standby devices in Windows 10 does not allow the use of a passphrase to unlock the disk and so does not support some of the mandatory requirements expected from assured disk encryption products. BitLocker, or an independently assured CPA Foundation Grade product, should be used instead.
Authentication	The user implicitly authenticates to the device by entering the BitLocker PIN at boot time. The user then has a secondary credential to use when authenticating to the platform after boot and when unlocking the device. You should use Windows Hello for Business and allow the user to log in with a PIN code or Biometric. For both Windows Hello and traditional passwords, the credential derives a key which protects other credentials, which give access to corporate services. In an enterprise environment, the user will also be issued with an Active Directory credential which will be required when they use a device for the first time. You should use Credential Guard to best protect this credential. The user should also be a member of the Protected Users Security Group on the domain and that domain should be running a minimum of 2016 Functional Domain Level. Windows Hello for Business also permits biometric unlock of devices that have the necessary hardware. This can be used if desired. Accounts with administrative privileges should only be present on End User Devices used to perform administrative functions and should take advantage of the Restricted Admin feature of Remote Desktop Connections. User accounts with administrative privileges should have a strong password and ideally a second factor to authenticate them to the platform at logon and unlock time. The credentials will be best protected if the administrative user is a member of the Protected Users Security Group on the domain, and have Authentication Policy Silos applied. Microsoft provides guidance on the use of administrative workstations, delegation of privilege and other good administrative practices.
Secure boot	On Windows 10, this requirement is met on a correctly configured platform deployed on the Hardware Compatibility Program. A UEFI password can make it more difficult for an attacker to modify the boot process. With physical access, the boot process can still be compromised.
Platform integrity and application sandboxing	No configuration is required.
Application whitelisting	An enterprise configuration can be applied to implement application control using AppLocker. A recommended sample configuration that only allows Administrator-installed applications to run is provided below. Device Guard can also be used to reinforce application control rules. As it does not offer the same granularity as AppLocker, the two technologies should be used alongside one another. AppLocker can be used to restrict which pre-installed Windows Apps are available to users, and if the public Windows Store is enabled it can control which applications a user can install.
Malicious code detection and prevention	Windows 10 includes Windows Defender Antivirus and Windows Defender SmartScreen that attempt to detect malicious code for the platform. Cloud sample submission can be disabled. Alternatively, third party anti-malware products are available. If using a third-party product, those that implement the Anti-Malware Scan Interface (AMSI) should be preferred to improve compatibility with future Feature Updates. The Early Launch Anti-Malware (ELAM) driver provides signature checking for known bad drivers on ELAM-compliant systems that are configured to use Secure Boot. Microsoft Store for Business, or a Company Store, can be used to distribute user-installable universal apps. Such stores should only contain vetted apps. If the public Microsoft Store is enabled, AppLocker can be used to control which applications a user is able to install. Content-based attacks can be filtered by scanning capabilities in the enterprise. Windows Defender Exploit Guard can be used to help prevent vulnerabilities in older software from being successfully exploited.
Security policy enforcement	Settings applied through Group Policy cannot be modified by unprivileged users.
External interface protection	Interfaces can be configured using group policy. USB removable media can be blocked through Group Policy if required. Direct Memory Access (DMA) is possible from peripherals connected to some external interfaces including FireWire and Thunderbolt unless disabled through group policy as detailed below, or in the UEFI/BIOS. With Windows 10 Connected Standby devices, part of the hardware compliance mitigates DMA attacks by disallowing these interfaces.
Device updates	Windows Update can automatically download and install updates. If the Microsoft Store is enabled, it should be configured to automatically update Microsoft Store apps. Some devices will allow the UEFI firmware to be updated automatically via Windows Update. Devices that do not implement this will require updates via another mechanism whenever a new firmware is released. Windows Update for Business or Windows Server Update Services (WSUS) can, optionally, be used to monitor and enforce updates of the core platform, system firmware and any Windows applications.
Event collection	Event collection can be carried out using Windows Event Forwarding for central event log collection.
Incident response	The combination of BitLocker drive encryption and enterprise revocation of user credentials are appropriate for managing this security recommendation.

Recommended network architecture

For all remote or mobile working scenarios, you should consider using a typical remote access architecture based on the Walled Garden Architectural Pattern. The following network diagram describes the recommended architecture for this platform. The remote device will need Active Directory access in order to authenticate and retrieve group policy.

Alternatively, consider a reduced presentation layer that allows direct access from the VPN gateway to internal services via the internal firewall. The inner firewall should be used to restrict access where possible.

The risk of allowing more direct access to the core network can be reduced by binding the authentication certificate to the end user device, ensuring that it is only possible for legitimate devices to connect.

Preparation for deployment

The steps below should be followed to prepare your organizational infrastructure to host a deployment of these devices:

Procure, deploy and configure network components, including an approved IPsec VPN Gateway.
Configure the Microsoft Deployment Toolkit to deploy your organization’s standard desktop build, using a clean Windows 10 Enterprise image. Consider including credential management tools such as LAPS and MBAM.
Create Group Policies for user and computer groups in accordance with the settings later in this section, ensuring that the Microsoft Baseline settings have the lowest precedence when being deployed.
Deploy an AppLocker rule set using Group Policy following guidance in the Application Whitelisting section. A sample configuration, which allows only applications installed by an Administrator to run, is outlined in the Group Policy settings
Create Event Forwarding Subscriptions and configure Group Policy to forward at least AppLocker, Application, System and Security logs that have a level of Critical Error or Warning, to an event management system.
Configure user groups according to the principle of least privilege. Where available, configure these users to be in the Protected Users group and apply Restricted Admin and Authentication Policy Silos to privileged users.
Deploy System Center Configuration Manager (SCCM) or additional OEM-dependent infrastructure if you wish to implement remote management of device firmware.

Device provisioning steps

The steps below should be followed to provision each end user device onto your organization’s network, preparing it for distribution to end users:

Update the system firmware to the latest version available from the vendor. This may be called a UEFI or BIOS update.
Configure the system firmware to boot in UEFI mode
Enable TPM, Secure Boot and virtualization extensions
Disable unused hardware interfaces
Check the boot order to prioritize internal storage and set a password to prevent changes. Most of these settings will be pre-configured on a Windows Hardware Compatibility Program device.
Install a clean version of Windows from a known good source.

Recommended policies and settings

This section details important security policy settings which are recommended for a Windows 10 deployment. Other settings (e.g. server address) should be chosen according to the relevant network configuration.

Remember, any guidance points given here are recommendations - they are not mandatory. Risk owners and administrators should agree a configuration which balances business requirements, usability and the security of the platform.

Settings not listed in this section are either not applicable to this mode or should be chosen according to your organizational policy and requirements.

Microsoft baselines

The configuration below builds on the enterprise baselines distributed by Microsoft. Microsoft Security Compliance Toolkit 1.0 can be used to help assess the differences between security configurations. The configuration below has been tested to work with the Windows 10 version 1809 baselines.

You should use the following Microsoft baseline GPO settings:

MSFT Windows 10 and Server 2019 Member Server - Credential Guard
MSFT Windows 10 and Server 2019 – Defender Antivirus
MSFT Windows 10 and Server 2019 – Domain Security
MSFT Windows 10 1809 - BitLocker
MSFT Windows 10 1809 - Computer
MSFT Windows 10 1809 - User

User account hardening

Group Policy	Value(s)
Computer Configuration > Administrative Templates > Network > Network Connections > Require domain users to elevate when setting a network’s location	Enabled
Computer Configuration > Administrative Templates > Windows Components > Credential User Interface > Do not display the password reveal button	Enabled
Computer Configuration > Administrative Templates > Windows Components > OneDrive > Prevent the usage of OneDrive for file storage	Enabled
Computer Configuration > Administrative Templates > Windows Components > Sync your settings > Do not sync	Enabled Allow users to turn syncing on: Disabled
Computer Configuration > Administrative Templates > Windows Components > Search > Allow Cortana	Disabled
Computer Configuration > Administrative Templates > Windows Components > Search > Don’t search the web or display web results in Search	Enabled
Computer Configuration > Administrative Templates > Windows Components > Store > Disable all apps from Microsoft Store	Enabled
Computer Configuration > Administrative Templates > Windows Components > Store > Turn off Automatic Download and Install of updates	Disabled
Computer Configuration > Administrative Templates > Windows Components > Store > Turn off the Store application	Enabled
User Configuration > Administrative Templates > Control Panel > Personalization > Screen saver timeout	600 seconds
Computer Configuration > Administrative Templates > System > Logon > Turn off picture password sign-in	Enabled
Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business > Use a hardware security device	Enabled

Authentication policy

Your organization should have a consistent authentication policy which applies to all users and devices capable of accessing its data. You can use our published password guidance to help inform any password policy.

An administrator should configure the relevant on-device settings in line with your authentication policy.

Windows 10 Enterprise implements a number of relevant settings as Fine Grained Password Policies that should be configured on the Domain Controller.

Group Policy	Value(s)
CN=System > CN=Password Settings Container > CN=Granular Password Settings Users	Precedence: 2 Enforce minimum password length Enforce lockout policy Account will be locked out: Until an administrator manually unlocks the account Directly Applies To: Domain Users
CN=System > CN=Password Settings Container > CN=Granular Password Settings Administrators	Precedence: 1 Enforce minimum password length Password must meet complexity requirements Enforce lockout policy Account will be locked out: Until an administrator manually unlocks the account Directly Applies To: Domain Admins Protect from accidental deletion: Enabled

Active Directory

A user’s Active Directory password will normally only be used when enrollling against a device for the first time. It is not backed by a second factor or by hardware-backed anti-hammer, even when Credential Guard is deployed.

Different requirements can be set for different account types using Fine Grained Password Policies. If the Active Directory password is only used for device enrollment, it needs to be easy to type in but does not need to be memorable.

Windows Hello and Hardware Strengthening

We recommend that users should log in to and unlock devices using Windows Hello for Business instead of a Windows password. This creates a user credential that is tied to the physical device using a PIN or biometric. When used on Windows 10 Certified devices, it provides hardware-backed anti-hammer. Windows Hello should only be enabled on devices that use a TPM. Detailed guidance on Hello for Business deployment can be found in the Microsoft Hello for Business deployment guide.

Users can choose to set a PIN after they have logged on to the device for the first time. A number of group policies should be used to configure the PIN requirement.


Group Policy > Computer Configuration > Administrative Templates > System > PIN Complexity
PIN Complexity > Maximum PIN length
PIN Complexity > Minimum PIN length
PIN Complexity > Require digits
PIN Complexity > Require lowercase letters
PIN Complexity > Require special characters
PIN Complexity > Require uppercase characters

The configuration provided in this guidance enables Virtual Secure Mode and Credential Guard on supported devices. Biometrics can be used if these features are installed and enabled. Biometrics are enabled by default on Windows 10, so group policy should be used to disable biometrics if they are not being used. For more information see Microsoft’s paper on credential guard.

System hardening


Group Policy	Value(s)
Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Allow Telemetry	Enabled: 0 - Security Note - If using Windows Update for Business this will need to be set to 1 (Basic). See Windows 10 feature updates for more details.
Computer Configuration > Administrative Templates > Windows Components > Windows Error Reporting > Disable Windows Error Reporting	Enabled
Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions > Prevent installation of devices that match these device IDs This policy prevents all Thunderbolt devices from being used and provides the strongest protection from DMA attacks. If organizations require the use of Thunderbolt devices, they should first check if the host supports Kernel DMA protection and has it enabled. If it is not supported, follow the Microsoft guidance to disable new DMA devices when the computer is locked.	Enabled: PCI\CC_0C0A Also apply to matching devices that are already installed: Disabled
Computer Configuration > Administrative Templates > System > Device Installation > Device Installation Restrictions > Prevent installation of drivers matching these device setup classes	Enabled: {d48179be-ec20-11d1-b6b8-00c04fa372a7} {7ebefbc0-3200-11d2-b4c2-00a0C9697d07} {c06ff265-ae09-48f0-812c-16753d7cba83} {6bdd1fc1-810f-11d0-bec7-08002be2092f} Also apply to matching devices that are already installed: Disabled
Computer Configuration > Administrative Templates > Windows Components > Store > Turn off Automatic Download and Install of updates	Disabled
Computer Configuration > Administrative Templates > Windows Components > App runtime > Block launching Universal Windows apps with Windows Runtime API access from hosted content.	Enabled
Computer Configuration > Administrative Templates > Network > Network Isolation > Proxy definitions are authoritative	Enabled
Computer Configuration > Administrative Templates > Network > Network Isolation > Subnet definitions are authoritative	Enabled
Computer Configuration > Administrative Templates > Windows Components > Portable Operating System > Windows To Go Default Startup Options	Disabled
Computer Configuration > Preferences > Windows Settings > Registry > Replace > HKLM\Software\Microsoft\Windows\CurrentVersion\policies\system\	(DWORD) SafeModeBlockNonAdmins = 1
Computer Configuration > Preferences > Windows Settings > Registry > Replace > HKLM\System\CurrentControlSet\Control\SafeBoot\Network	(REG_SZ) Appid = Service
Computer Configuration > Preferences > Windows Settings > Registry > Replace > HKLM\System\CurrentControlSet\Control\SafeBoot\Network	(REG_SZ) Appid.sys = Driver
Computer Configuration > Preferences > Windows Settings > Registry > Replace > HKLM\System\CurrentControlSet\Control\SafeBoot\Network	(REG_SZ) discache.sys = Driver
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Accounts: Block Microsoft accounts	Users can’t add or log on with Microsoft accounts
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Path Validation Settings > Stores > Allow user trusted root Certificate Authorities (CAs) to be used to validate certificates	Disabled
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Path Validation Settings > Stores > Allow users to trust peer trust certificates	Disabled
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Path Validation Settings > Stores > Root CAs that client computers can trust	Third-Party Root Certification Authorities and Enterprise Root Certification Authorities
Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Certificate Path Validation Settings > Stores	CAs must also be compliant with user principal name (UPN) constraints = Disabled
Computer Configuration > Administrative Templates >Network > Network Connections > Require domain users to elevate when setting a network’s location	Enabled
Computer Configuration > Administrative Templates > System > Group Policy > Phone-PC linking on this device	Disabled
Computer Configuration > Administrative Templates > System > OS Policies > Allow upload of User Activities	Disabled
Computer Configuration > Administrative Templates > Windows Components > Microsoft Edge > Allow a shared Books folder	Disabled
Computer Configuration > Administrative Templates > Windows Components > Microsoft Edge > Allow configuration updates for the Books Library	Enabled
Computer Configuration > Administrative Templates > Windows Components > Microsoft Edge > Allow extended telemetry for the Books tab	Disabled
Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Turn off Windows Defender Antivirus	Disabled
Computer Configuration > Administrative Templates > Windows Components > Windows Logon Options > Sign-in last interactive user automatically after a system-initiated restart	Disabled
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Disable new DMA devices when this computer is locked	Enabled
Computer Configuration > Administrative Templates > System > Group Policy > Continue experiences on this device	Disabled
Computer Configuration > Administrative Templates > System > Kernel DMA Protection > Enumeration policy for external devices incompatible with Kernel DMA Protection	Enabled: Enumeration policy: Block all
Computer Configuration > Administrative Templates > System > OS Policies > Allow Clipboard History	Disabled
Computer Configuration > Administrative Templates > System > OS Policies > Allow Clipboard synchronization across devices	Disabled
Computer Configuration > Administrative Templates > System > OS Policies > Allow publishing of User Activities	Disabled
Computer Configuration > Administrative Templates > System > OS Policies > Enabled Activity Feed	Disabled
Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure collection of browsing data for Microsoft 365 Analytics	Enabled Configure telemetry collection: Do not allow sending intranet or internet history
Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > Disable diagnostic data viewer.	Enabled
Computer Configuration > Administrative Templates > Windows Components > Microsoft Edge > Allow Microsoft Edge to start and load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed	Enabled Configure tab preloading: Prevent tab preloading
Computer Configuration > Administrative Templates > Windows Components > Microsoft Edge > Allow Sideloading of extensions	Disabled

Group Policy can be used to limit user access to removable media such as USB mass storage devices, if required by organizational policy. The settings can be found in Computer Configuration > Administrative Templates > System > Removable Storage Access.

Group Policy can also be used to fully allow list all devices or device classes which are allowed to be installed. In this way you could allow, for example, basic peripherals such as mice, keyboards, monitors and network cards, but refuse the connection and installation of other devices. It is important to allow list enough classes of device to allow a successful boot on a variety of hardware.

Details on how to enable allow listing of specific devices can be found on MSDN.

Windows Defender configuration

If using Windows Defender, configure it to enable cloud-backed protections while limiting its ability to send sensitive data for analysis.


Group Policy	Value(s)
Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > MAPS > Configure the ‘Block at First Sight’ feature	Enabled
Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > MAPS > Join Microsoft MAPS	Enabled: Advanced
Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > MAPS > Send file samples when further analysis is required	Enabled: Send safe samples automatically
Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Real-time Protection > Turn off real-time protection	Disabled

AppLocker configuration

This example set of AppLocker rules implements the application allow listing principles outlined in Enterprise Considerations below. It can be modified to allow the user to install and run apps from either an enterprise software center or the Microsoft Store.

Scripting languages such as Visual Basic Scripting should be disabled unless they are specifically needed.


Group Policy	Value(s)
Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Enforcement > Executable Rules	Configured: True Enforce Rules
Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Executable Rules	Allow Everyone: All files located in the Windows Defender\Platform folder - %OSDrive%\ProgramData\Microsoft\Windows Defender\Platform\* Allow Everyone: All files located in the Program Files folder - with exceptions Exception: (Path) %PROGRAMFILES%\Windows Kits\\Debuggers\ Allow Everyone: All files located in the Windows folder - with exceptions Exception: (Path) %SYSTEM32%\com\dmp\* Exception: (Path) %SYSTEM32%\FxsTmp\* Exception: (Path) %SYSTEM32%\Spool\drivers\color\* Exception: (Path) %SYSTEM32%\Spool\PRINTERS\* Exception: (Path) %SYSTEM32%\Spool\SERVERS\* Exception: (Path) %SYSTEM32%\Tasks\* Exception: (Path) %SYSTEM32%\microsoft\crypto\rsa\machinekeys\* Exception: (Path) %WINDIR%\tasks\* Exception: (Path) %WINDIR%\temp\* Exception: (Path) %WINDIR%\tracing\* Exception: (Path) %WINDIR%\registration\crmlog\* Exception: (Path) %WINDIR%\servicing\packages\* Exception: (Path) %WINDIR%\servicing\sessions\* Exception: (Publisher) %SYSTEM32%\WMIC.exe,* Exception: (Publisher) %SYSTEM32%\cmstp.exe,* Exception: (Publisher) %SYSTEM32%\mshta.exe,* Exception: (Publisher) %SYSTEM32%\PresentationHost.exe,* Exception: (Publisher) %SYSTEM32%\windbg.exe,* Exception: (Publisher) %SYSTEM32%\cipher.exe,* Exception: (Publisher) %Microsoft.NET%\Framework64\\IEExec.exe Exception: (Publisher) %Microsoft.NET%\Framework64\\InstallUtil.exe Exception: (Publisher) %Microsoft.NET%\Framework\\regsvcs.exe Exception: (Publisher) %Microsoft.NET%\Framework\\msbuild.exe Exception: (Publisher) %Microsoft.NET%\Framework\*\regasm.exe Allow Administrators: All files
Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Enforcement > Windows Installer Rules	Configured: True Enforce Rules
Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Windows Installer Rules	Allow Administrators: All Windows Installer files Allow Everyone: (PATH) %WINDIR%\Installer\*
Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Enforcement > Script Rules	Configured: True Enforce Rules
Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Script Rules > Enforce rules of this type	Allow Everyone: All Scripts located in the Program Files folder Allow Everyone: All Scripts located in the Windows folder - with exceptions Exception: (PATH) %SYSTEM32%\com\dmp\* Exception: (PATH) %SYSTEM32%\FxsTmp\* Exception: (PATH) %SYSTEM32%\Spool\drivers\color\* Exception: (PATH) %SYSTEM32%\Spool\PRINTERS\* Exception: (PATH) %SYSTEM32%\Spool\SERVERS\* Exception: (PATH) %SYSTEM32%\Tasks\* Exception: (PATH) %WINDIR%\registration\crmlog\* Exception: (PATH) %WINDIR%\tasks\* Exception: (PATH) %WINDIR%\temp\* Exception: (PATH) %WINDIR%\tracing\* Exception: (PATH) %WINDIR%\servicing\packages\* Exception: (PATH) %WINDIR%\servicing\sessions\* Exception: (PATH) %SYSTEM32%\microsoft\crypto\rsa\machinekeys\* Allow Administrators: All scripts
Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Enforcement > DLL Rules	Configured: True Enforce Rules
Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > DLL Rules	Allow Everyone: All DLLs located in the Windows Defender\Platform folder - %OSDrive%\ProgramData\Microsoft\Windows Defender\Platform\* Allow Everyone: All DLLs located in the Program Files folder Allow Everyone: All DLLs located in the Windows folder - with exceptions Exception: (PATH) %SYSTEM32%\com\dmp\* Exception: (PATH) %SYSTEM32%\FxsTmp\* Exception: (PATH) %SYSTEM32%\Spool\drivers\color\* Exception: (PATH) %SYSTEM32%\Spool\PRINTERS\* Exception: (PATH) %SYSTEM32%\Spool\SERVERS\* Exception: (PATH) %SYSTEM32%\Tasks\* Exception: (PATH) %SYSTEM32%\microsoft\crypto\rsa\machinekeys\* Exception: (PATH) %WINDIR%\registration\crmlog\* Exception: (PATH) %WINDIR%\tasks\* Exception: (PATH) %WINDIR%\temp\* Exception: (PATH) %WINDIR%\tracing\* Exception: (PATH) %WINDIR%\servicing\packages\* Exception: (PATH) %WINDIR%\servicing\sessions\* Allow Administrators: All DLLs
Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Enforcement > Packaged app Rules	Configured: True Enforce Rules
Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Packaged app rules	Allow Everyone: All signed packaged apps Exception: (Publisher) Microsoft.Getstarted Exception: (Publisher) Microsoft.MicrosoftOfficeHub Exception: (Publisher) Microsoft.SkypeApp Exception: (Publisher) Microsoft.WindowsFeedback

BitLocker configuration

The following settings should be configured to use full volume encryption in TPM and PIN mode.


Group Policy	Value(s)
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Enforce drive encryption type on operating system drives	Enabled Select the encryption type: Full encryption
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Configure use of hardware-based encryption for operating system drives	Disabled
Computer Configuration > Administrative Templates > Windows Components > BitLocker Drive Encryption > Operating System Drives > Require additional authentication at startup	Enabled Allow BitLocker without a compatible TPM (Requires a password or startup key on a USB flash drive): Unticked Configure TPM startup: Do not allow TPM Configure TPM startup PIN: Allow startup PIN with TPM Configure TPM startup key: Do not allow startup key with TPM Configure TPM startup key and PIN: Allow startup key and PIN with TPM

The BitLocker PIN should be in line with your organization’s password policy. Deployments that include fixed-location workstations may prefer to use BitLocker Network Unlock as an alternative to a PIN.

Users can change the PIN after they have logged on to the device for the first time. A number of group policies can be used to configure the PIN requirements including:


Group Policy > Computer Configuration > Administrative Templates > Windows Components > Operating System Drives
Allow enhanced PINs for startup
Configure minimum PIN length for startup
Configure use of passwords for operating system drives

Windows Defender Exploit Guard configuration

The majority of Exploit Guard configuration is performed using an XML file, the location of which is specified through Group Policy. The XML file can be generated using the Windows Defender Security Center application, or exported from EMET.

As Exploit Guard can cause compatibility issues with some applications, Microsoft recommends that Exploit Guard policies are thoroughly tested before they are enforced across an organization. “Audit mode” can be used to support this.


Group Policy	Value(s)
Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Windows Defender Exploit Guard > Controlled folder access	Enabled Mode: Block
Computer Configuration > Administrative Templates > Windows Components > Window Defender Exploit Guard> Use a common set of exploit protection settings	Enabled. A UNC path to an XML file containing any desired settings should be configured.
Computer Configuration > Administrative Templates > Windows Components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack Surface Reduction > Configure Attack Surface Reduction rules Details on these policies can be found at https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard	d4f940ab-401b-4efc-aadc-ad5f3c50688a: 1 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2: 1 3b576869-a4ec-4529-8536-b80a7769e899: 1 5beb7efe-fd9a-4556-801d-275e5ffc04cc: 1 92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B: 1 b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4: 1 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84: 1 d3e037e1-3eb8-44c8-a917-57927947596d: 1 be9ba2d9-53ea-4cdc-84e5-9b1eeee46550: 1 26190899-1602-49e8-8b27-eb1d0a1ce869: 1 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c: 1 d1e49aac-8f56-4280-b9ba-993a6d77406c: 2

If files stored outside of user and system directories should be protected with Controlled Folder access, these should be added to Exploit Guard with Group Policy. A table of the various attack surface reduction rules, and what restrictions they impose, can be found here.

Windows Defender Device Guard and Application Control configuration

Windows Defender Device Guard includes Windows Defender Application Control (WDAC), which allows administrators to permit only digitally signed applications to run on user devices. Where unsigned line of business applications are also used, administrators can permit these using a signed catalog file containing details of the trusted unsigned applications. It should however be noted that Windows Defender Device Guard rules will apply to all users, so it is not possible to allow administrators to run some applications that users cannot. Consequently, Microsoft recommends that administrators deploy WDAC alongside AppLocker policies.

Organizations should create their own WDAC policies using gold builds of each device type, and thoroughly test them prior to deployment. Guidance on how to achieve this can be found on the Microsoft website. The rules should include the exclusion list given by Microsoft in their WDAC guidance.

Organizations should also enable Virtualization Based Security to guard against malicious software being loaded into the Windows kernel. This can be achieved with the following Group Policy settings:


Group Policy	Value(s)
Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security	Enabled: Platform Security: Secure Boot and DMA Protection Virtualization Based Protection of Code Integrity: Enabled with UEFI Lock Require UEFI Memory Attributes Table: Enabled* Credential Guard Configuration: Enabled with UEFI Lock Secure Launch Configuration: Enabled

*Please note - setting this value to Enabled will require UEFI 2.6+. See this page from Microsoft for more details. Microsoft have also provided tools to check whether devices are ready for deploying Device Guard and Credential Guard.

Windows Defender Application Guard configuration

Windows Defender Application Guard uses Microsoft’s Hyper-V virtualization technology to load untrusted websites.

We recommend that this is configured in Enterprise Mode, with the following Group Policy settings:


Group Policy	Value(s)
Computer Configuration > Administrative Templates > Windows Components > Windows Defender Application Guard > Turn on Windows Defender Application Guard in Enterprise Mode	Enabled
Computer Configuration > Administrative Templates > Windows Components > Windows Defender Application Guard > Allow data persistence for Windows Defender Application Guard	Disabled
Computer Configuration > Administrative Templates > Windows Components > Windows Defender Application Guard > Allow auditing events in Windows Defender Application Guard	Enabled
Computer Configuration > Administrative Templates > Windows Components > Windows Defender Application Guard > Prevent enterprise websites from loading non-enterprise content	Enabled
Computer Configuration > Administrative Templates > Windows Components > Windows Defender Application Guard > Configure Windows Defender Application Guard clipboard settings	Enabled: Enable clipboard operation from an isolated session to the host. Clipboard content options: 3 (Allow text and image copying)
Computer Configuration > Administrative Templates > Windows Components > Windows Defender Application Guard > Configure Windows Defender Application Guard print settings	Enabled: Allowed Print types in Application Guard: 11 (Allow network, PDF and XPS printing)
Computer Configuration > Administrative Templates > Windows Components > Windows Defender Application Guard > Allow files to download and save to the host operating system from Windows Defender Application Guard	Enabled
Computer Configuration > Administrative Templates > Windows Components > Windows Defender Application Guard > Configure additional sources for untrusted files in Windows Defender Application Guard	Enabled: Removable media: Enabled Network shares: Enabled Files with Mark of the Web: Enabled
Computer Configuration > Administrative Templates > Windows Components > Windows Defender Application Guard > Allow Windows Defender Application Guard to use Root Certificate Authorities from the user’s device	Disabled
Computer Configuration > Administrative Templates > Windows Components > Windows Defender Application Guard > Allow users to trust files that open in Windows Defender Application Guard	Enabled: 0. Do not allow users to manually trust files
Computer Configuration > Administrative Templates > Windows Components > Windows Defender Application Guard > Allow camera and microphone access in Windows Defender Application Guard	Disabled
Computer Configuration > Administrative Templates > Network > Network Isolation > Enterprise resource domains hosted in the cloud	Enabled:
Computer Configuration > Administrative Templates > Network > Network Isolation > Private network ranges for apps	Enabled: Any IP address ranges that are used for internal applications. These can be specified in CIDR notation.

Windows Defender Firewall configuration

This firewall configuration is used to enforce the use of an always-on VPN.

You may also need to add rules to allow your VPN client to make outbound connections when the device is in either a public or private profile. Sample rules are provided with the BCSF configuration guide.

If you need to add firewall exceptions to allow for remote management, they should only be applied to the Domain profile.


Group Policy	Value(s)
Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall Properties > Domain Profile	Firewall State : On (Recommended) Inbound connections : Block (default) Outbound connections : Allow (default)
Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall Properties > Domain Profile > Settings > Customize > Apply local firewall rules	No
Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall Properties > Private Profile	Firewall State : On (Recommended) Inbound connections : Block (default) Outbound connections : Block
Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall Properties > Private Profile > Settings > Customize > Apply local firewall rules	No
Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall Properties > Public Profile	Firewall State : On (Recommended) Inbound connections : Block (default) Outbound connections : Block
Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall Properties > Public Profile > Settings > Customize > Apply local firewall rules	No
Computer Configuration > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Outbound Rules	Enabled Allow outbound DHCP General > Action: Allow the connection Programs and Services > Programs > This Program > %SystemRoot%\system32\svchost.exe Allow Programs and Services > Service > Apply to this service > DHCP Client (Dhcp) Advanced > Profiles: Private, Public Protocols and Ports > Local port: UDP 68 Protocols and Ports > Remote port: UDP 67 Allow outbound DNS General > Action: Allow the connection Programs and Services > Programs > This Program > %SystemRoot%\system32\svchost.exe Allow Programs and Services > Service > Apply to this service > DNS Client (Dnscache) Advanced > Profiles: Private, Public Protocols and Ports > Remote port: TCP 53, UDP 53 Allow outbound Kerberos General > Action: Allow the connection Programs and Services > Programs > This Program > %SystemRoot%\system32\lsass.exe Advanced > Profiles: Private, Public Protocols and Ports > Remote port: All TCP and UDP ports Allow outbound LDAP General > Action: Allow the connection Programs and Services > Programs > This Program > All programs that meet the specified conditions Advanced > Profiles: Private, Public Protocols and Ports > Remote port: TCP 389, UDP 389 Allow outbound NCSI Probe General > Action: Allow the connection Programs and Services > Programs > This Program > %SystemRoot%\system32\svchost.exe Allow Programs and Services > Service > Apply to this service > Network Location Awareness (NlaSvc) Advanced > Profiles: Private, Public Protocols and Ports > Remote port: TCP 80

VPN configuration

You should deploy VPN infrastructure configured either to support the PRIME or Foundation profiles as detailed in the BCSF’s IPsec Guidance and following our platform independent guidance on VPNs.

Since version 1709, Windows 10’s built-in VPN client has supported Device Tunnel mode. This allows the computer to establish a tunnel prior to users logging in, so that policy or software updates can be obtained at startup. However, an always-on user VPN will still need to be configured to allow users to access corporate resources.

If you are using a third-party VPN client, you should prefer one that has been built on top of the Windows 10 UWP VPN plug-in platform. These will likely integrate better into the platform and be more reliable, as the Windows platform is regularly updated.

Device firmware

Devices should meet the minimum required Unified Extensible Firmware Interface (UEFI) specification 2.3.1c, boot in UEFI mode, and enable secure boot by default. UEFI legacy fall back options and direct memory access (DMA) ports should also be disabled during boot. Devices certified under the Windows 10 Hardware Compatibility program implement these features by default.

You should also ensure that purchased devices implement signed manufacturer firmware updates by default. This should be checked with the manufacturer as part of your procurement process.

Management of UEFI firmware settings

There are several ways in which you can manage the firmware settings of your devices:

Manage them locally on the device using the pre-boot UEFI console.
Use OEM-provided tools for management of firmware settings locally from within the running OS. Examples include HP BIOS Configuration Utility and Dell Command Configure.
Use these same tools in conjunction with device management infrastructure such as System Center Configuration Manager (SCCM) to remotely manage devices’ firmware settings.
Manage them remotely using enterprise management features provided by the OEM that are integrated specifically in to device management infrastructure such as System Center Configuration Manager (SCCM). An example is HP Manageability Integration Kit (MIK).

One of these approaches should be taken, and used to configure the settings below.

Recommended settings

The following UEFI settings should be applied. Some of these settings are hardware dependent and may not be available on all platforms.


Setting	Value
Administrator/Setup Password + UEFI Lockout	A UEFI administrator or setup password should be set and UEFI console lockout enabled to prevent unauthorized changes to UEFI settings.
Boot Mode	UEFI
Secure Boot	Enabled
Legacy Boot Options and Legacy Option ROMs	Disabled
Manufacturer Signed Firmware Updates	Enabled
Trusted Platform Module (TPM)	Enabled
UEFI Firmware Rollback	Disabled
Boot Options	Restricted to only those that are required. Priority should be given to internal storage.
Boot Order	Locked
No Execute (NX)	Enabled
Virtualization Extensions	Enabled
Input/Output Memory Management Unit (IOMMU)	Enabled
Thunderbolt	Ports should be disabled if not required If required · Disable Thunderbolt boot support if not required. · Disable Thunderbolt pre-boot module support. · Set a minimum Thunderbolt Security Level of User Authorization.

Automating Updates

Device firmware updates should be automated where possible. The BCSF recommends one of the following techniques for automating system firmware updates:

Windows 10 can support firmware updates via Windows Update. This simplifies the automation of firmware updates. You should check with your OEM that they support this update mechanism, as it is typically only used with Microsoft’s own hardware.
Some OEMs, including Dell and HP, distribute firmware updates as third-party Windows Server Update Services (WSUS) update package catalogues. System Center Configuration Manager (SCCM) and System Center Update Publisher (SCUP) can be used to import these catalogues. The firmware updates can then be published directly in to SCCM and deployed as a software update.

Note: In some cases, additional client agent software may be required to support the deployment. This is dependent on the OEM - their documentation should be consulted in addition to the steps described above.

Firmware update utilities that are available from the OEM as Microsoft Installer Packages (.msi) can be deployed directly as a required application through an Enterprise Management solution such as System Center Configuration Manager (SCCM).
Custom Task Sequences in System Center Configuration Manager (SCCM) can also provide a method to deploy firmware updates. They provide a flexible deployment option if built-in features in SCCM - such as application installation and software updates - cannot be used to deploy the firmware update. A typical task sequence would comprise steps to target the firmware update, perform a silent installation of the firmware update utility, an option to suspend BitLocker and a forced device restart.

Note that there can be significant variation in the command line flags that are required to perform a silent installation for a specific OEM device and corresponding system firmware update utility. You should consult OEM documentation when designing the custom task sequence.

OEMs in many cases also provide their own client solutions that include management of firmware updates. You should refer to your OEM to determine if these solutions meet your needs.

Firmware Integrity and Recovery

Some OEM devices provide support for automated firmware recovery if an update fails or the firmware becomes corrupted. These features should be enabled if supported.

In addition, some OEMs provide enhanced hardware-backed protection for the integrity of firmware, which can detect unauthorized changes to the firmware and alert or automatically recover from these changes. Devices with these features (e.g. Intel Boot Guard or HP Sure Start) should be preferred, if available.

Enterprise considerations

The following points are in addition to the common enterprise considerations and contain specific issues for Windows 10 deployments.

Windows 10 Enterprise feature updates

The Windows 10 Semi-Annual Channel receives feature updates twice-per-year. All currently supported feature updates will be supported for 30 months from their original release date. All future feature updates with a targeted release month of September (starting with 1809) will be supported for 30 months from their release date. All future feature updates with a targeted release month of March (starting with 1903) will only be supported for 18 months from their release date.

The BCSF recommends organizations deploy feature updates immediately to a targeted deployment to validate that the apps, devices and infrastructure used work well with the new release. Once validation is complete, begin deploying broadly. You can defer feature updates for up to 365 days from release. To help with this approach organizations using Azure Active Directory may deploy Insider builds to a select group of devices via the Windows Insider Program for Business.


Group Policy	Value(s)
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Remove access to “Pause updates” feature	Enabled
Computer Configuration > Administrative Templates > Windows Components> Windows Update > Windows Update for Business > Manage preview builds	Disabled
Computer Configuration > Administrative Templates > Windows Components > Windows Update > Windows Update for Business > Select when Preview Builds and Feature Updates are received	Select the Windows readiness level for the updates you want to receive: Semi-Annual Channel After a Preview Build or Feature Update is released, defer receiving it for this many days: 0

Monthly Quality Updates, which include critical security and driver updates should be downloaded and installed automatically.

If your organization is using Windows Update for Business you will need to set the Telemetry level from 0 (Security) to 1 (Basic) for update policies to be honored, as no Windows update information is gathered when set to 0. If you are using Windows Server Update Services (WSUS) or System Center Configuration Manager (SCCM) you will not be affected. For more information on Windows telemetry settings see this document from Microsoft and for more information on configuring Windows Update for Business see here.

When choosing third party products that alter the behavior of the platform (such as VPN clients, anti-malware tools, management agents and auditing tools), it is important to realize that these may also need to be updated to remain compatible with newer versions of Windows 10. Products are more likely to be supported on future versions of Windows 10 if they use legitimate API’s such as the Anti-Malware Scan Interface and the Windows Runtime API for VPN’s.

This guidance may be updated in the future to cover significant new features in Windows 10 if they can improve the usability of the platform, while best addressing each of the security recommendations. The Windows 10 Long-Term Servicing Channel is designed for devices that never change, such as medical equipment and components in industrial control systems. It should not be deployed on End User Devices that are used to browse the web or use enterprise productivity software.

Device selection

Windows 10 can run on a wide variety of device types with a wide variety of internal hardware. Many of the newer Windows security mitigations require the device to have specific hardware components and for them to be turned on.

Even if you are not deploying these mitigations at the moment, you should seek to buy a Windows Hardware Compatibility Program device that supports TPM 2.0, UEFI v2.3.1 or higher and has a processor with virtualization extensions.

The BCSF recommends devices that support InstantGo. Devices that are InstantGo certified will not have ports that allow DMA access and will have TPM 2.0 or later. InstantGo will maintain network connectivity when your screen is off in standby mode and will automatically have device encryption enabled.

If you are using Windows Hello with biometric authentication, you will need to buy special hardware, see Microsoft’s blog for more information.

Signature Edition devices can be used if the required hardware is available. If using these devices, you may not need to reinstall Windows.

Application allow listing

When configuring additional application allow lists for a Windows device, it is important that the following conditions are considered:

Users should not be allowed to run programs from areas where they are permitted to write files.
Care should be taken to ensure that application updates do not conflict with allow listing rules.
Applications should be reviewed before being approved enterprise-wide, to ensure they don’t undermine application allow listing. This is especially important for scripting languages which have their own execution environment.

The suggested AppLocker configuration in this guidance will implement those rules if using software that adheres to the requirements of Microsoft’s Desktop App Certification Program. If the rules do need to be customized, follow Microsoft’s Design Guide to minimize the impact to enterprise operations.

Universal applications

The configuration given above prevents users from accessing the Windows Store to install applications, but an organization can still host its own store to distribute in-house applications to their employees, if required. This can be implemented either using the Microsoft Store for Business in the cloud, or via a Company Store app deployed to devices.

If the Windows Store is enabled, users should explicitly use their corporate Microsoft ID to sign into the Store app rather than associating their work device with their personal Microsoft ID. AppLocker can be configured to only allow installation of apps that are on an enterprise-configured “allow” list. The Windows Store can be configured to automatically update any installed Universal applications. The same mechanism can also be used to remove Universal Apps that come with Windows – ones that the user is not allowed to run will be disallowed and removed from the Start menu.

Desktop applications

Enterprise software that handles data downloaded from the Internet needs additional protections.

Application sandboxing and content rendering controls should be considered essential. For applications such as Microsoft Office, or Adobe Acrobat, the use of their enterprise security controls should be considered. These security controls aim to help protect the end user when processing these potentially malicious files.

As well as providing a trusted platform to run enterprise web apps, modern web browsers have to process a wide variety of rich content from the Internet – some of which must be considered untrustworthy. You should consider the security controls available when choosing a web browser. If choosing a Microsoft browser, Edge should be preferred, with Internet Explorer only being used for specific website compatibility. If feasible, remove Internet Explorer from the installed image.

The update mechanisms built into Windows can be used to deploy and update Microsoft products but cannot keep third party products up to date. Where available, the auto-update mechanism built into third party products should be use to install updates. Where auto-update is not available, it will be necessary to deploy updates using an enterprise system management service.

Cloud integration

Windows 10 devices do not need to be associated with a Microsoft ID to operate as required within an enterprise. Users should not enable personal, non-enterprise Microsoft ID (Live ID) accounts on the device, as this may allow data to leak through Microsoft cloud services backup and application storage.