Whether you have already rolled out the Windows 10 Creators Update to your end users or are currently testing the feature update in your own evaluation rings, the baseline security recommendations from Microsoft give you a good starting place for establishing security settings for these devices.
Back in June of this year, Microsoft released their draft version of the security baseline for the Creators Update so that IT Pros and System Admins could evaluate them and provide feedback.
This week they finalized the feedback and are now providing a download that contains a collection of documents that lay out the documentation, GP Reports, GPOs, Local Scripts, Templates, and WMI Filters that can be used as a baseline to then create your own default security posture for the Creators Update.
There are just three differences between the draft recommendations and the final ones:
-- The security settings that disallowed Internet Explorer from using downloaded fonts in the Internet and Restricted Sites zones have been removed. This change in IE11 recommendations applies only to Windows 10, and is possible because of Windows 10's additional mitigations as described in the blog post, Dropping the "Untrusted Font Blocking" setting.
-- The enforcement of the default for the User Rights Assignment, Generate security audits (SeAuditPrivilege), has been removed. Enforcing the default does not mitigate contemporary security threats, and hampers the functionality of programs such as System Center Operations Manager (SCOM) that need to change the default.
-- We are enabling the setting, "Do not suggest third-party content in Windows spotlight" in User Configuration\Administrative Templates\Windows Components\Cloud Content. Enabling this setting is consistent with our having previously enabled "Turn off Microsoft consumer experiences."
Having a solid baseline is a good starting point as you look towards rolling out the Creators Update in your own organization.