This post has been republished via RSS; it originally appeared at: New blog articles in Microsoft Tech Community.
We have updated our Windows 10 v1903 and Windows Server v1903 security configuration baseline recommendations to address some issues:
- The first and most important change is that we are removing the Computer Configuration setting, “Enable svchost.exe mitigation options” (in System\Service Control Manager Settings\Security Settings) from the Windows 10 and Windows Server baselines at this time because of reports that in its current implementation it causes more compatibility issues than we had anticipated.
- We have also adjusted a few auditing settings in the Domain Controller baseline to align more closely with recommendations in the Windows 10 and Windows Server 2016 security auditing and monitoring reference document (also reflected here).
We have also added a Baseline-ADImport.ps1 PowerShell script to import all the baseline’s GPOs into Active Directory Group Policy, and improved other scripts, including preventing the local-policy script from running on Domain Controllers.