Microsoft has announced the final release of the security configuration baseline setting for Windows 10 v2004 including Windows Server. What is the Windows security baseline all about, you may ask? Well, it’s a group of configuration settings recommended by Microsoft. Simply put, Windows Security baseline settings explain the security impact based on the feedback from Microsoft security engineering teams, product groups, and others.
Security Configuration Baseline Seyyings for Windows 10 v2004
“This Windows 10 feature update brings very few new policy settings,” Microsoft said in its blog post. “Only one new policy meets the criteria for inclusion in the security baseline, and we are removing one setting from the baseline.”
Extended Protection setting for LDAP Authentication is now available as part of Windows, and it doesn’t require registry-based policy settings. In March, Microsoft announced this change. As a result, all compatible Active Directory domain controllers can now configure this policy.
“The value will remain the same in our baseline, but the setting has moved to the new location.”
Since Microsoft has decided to deprecate its custom setting, the new update setting directory is as follows:
Security Settings\Local Policies\Security Options\Domain controller: LDAP server channel binding token requirements.
However, Microsoft says this policy requires the March 10, 2020 security update.
Meanwhile, Windows 10 2004 now has a new Microsoft Defender Antivirus File Hash feature available under this location:
Computer Configurations\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine\Enable file hash computation feature.
As Microsoft describes, this setting forces the engine to compute the full file hash for all executable files that are scanned.
Windows 10 2004 also brings two new security settings for password policies: ‘Minimum password length audit’ and ‘Relax minimum password length limits’. These new settings are available under:
Account Policies\Password Policy
Microsoft has also decided to remove the ‘Turn on Behavior Monitoring’ policy from Windows Security Baseline which was available under:
Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\Turn on behavior monitoring
Right now, Microsoft is working to bring certain enhancements for LGPO and Policy Analyzer. The company says the announcement will be made shortly after releasing the updated security configuration baseline setting.
