Windows 10 V1903: Security Baseline final released

[German]Microsoft has released the final of its Security Baseline for Windows 10 May 2019 Update (version 1903) and Windows Server 1903. Here is a brief overview.


The Security Baseline package consists of documentation and group policies, as well as PowerShell scripts that can be used to make basic protection about specific settings in Windows 10 or Windows Server 1903. The Final was announced on May 23, 2019 in the Technet article Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903.

Only a few new features, but changes

The new Windows Feature Update to Windows 10 Version 1903 brings very few new Group Policy settings that Microsoft lists in the documentation included with the package. This baseline recommends that you configure only two of them. However, Microsoft has made some changes to the existing settings. There have also been some changes since the draft released in April 2019. The changes to the Windows 10 v1809 and Windows Server 2019 Security Baseline include the following:

  • Enabling the new "Enable svchost.exe mitigation options" policy, which enforces stricter security on Windows services hosted in svchost.exe, including that all binaries loaded by svchost.exe must be signed by Microsoft, and that dynamically-generated code is disallowed. Please pay special attention to this one as it might cause compatibility problems with third-party code that tries to use the svchost.exe hosting process, including third-party smart-card plugins.
  • Configuring the new App Privacy setting, "Let Windows apps activate with voice while the system is locked," so that users cannot interact with applications using speech while the system is locked.
  • Disabling multicast name resolution (LLMNR) to mitigate server spoofing threats.
  • Restricting the NetBT NodeType to P-node, disallowing the use of broadcast to register or resolve names, also to mitigate server spoofing threats. We have added a setting to the custom "MS Security Guide" ADMX to enable managing this configuration setting through Group Policy.
  • Correcting an oversight in the Domain Controller baseline by adding recommended auditing settings for Kerberos authentication service.
  • Dropping the password-expiration policies that require periodic password changes. This change is discussed in further detail below.
  • Dropping the specific BitLocker drive encryption method and cipher strength settings. The baseline has been requiring the strongest available BitLocker encryption. We are removing that item for a few reasons. The default is 128-bit encryption, and our crypto experts tell us that there is no known danger of its being broken in the foreseeable future. On some hardware there can be noticeable performance degradation going from 128- to 256-bit. And finally, many devices such as those in the Microsoft Surface line turn on BitLocker by default and use the default algorithms. Converting those to use 256-bit requires first decrypting the volumes and then re-encrypting, which creates temporary security exposure as well as user impact.
  • Dropping the File Explorer "Turn off Data Execution Prevention for Explorer" and "Turn off heap termination on corruption" settings, as it turns out they merely enforce default behavior, as Raymond Chen describes here.

There are other changes that Microsoft has made since the release of the draft of this baseline:

  • Dropping the enforcement of the default behavior of disabling the built-in Administrator and Guest accounts. We had floated this proposal at the time of the draft baseline, and have since decided to accept it. The change is discussed in more detail in Technet.
  • Dropped a Windows Defender Antivirus setting that applies only to legacy email file formats.
  • Changed the Windows Defender Exploit Protection XML configuration to allow Groove.exe (OneDrive for Business) to launch child processes, particularly MsoSync.exe which is necessary for file synchronization.

Details on changes in password enforcement rules etc. explained in Technet article.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Windows and tagged . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *