This week Microsoft started the rollout of their fourth major feature update to Windows 10.
That update is widely known by its marketing name - Fall Creators Update. However, most IT Pros and System Admins will come to know it simply as Windows 10 Version 1709.
Although many enterprise and business customers will not be jumping on this update right away preferring to test it on a smaller scale in their organizations for compatibility, resources are already starting to appear to help out in that process.
The first key tool is the final version of the Security Baseline for Windows 10 Version 1709.
This document provides the recommended security configuration for this latest update for Windows 10 and is part of the Microsoft Security Compliance Toolkit. That toolkit contains tools that enterprise security admins can use to download, analyze, test, edit, and store these Microsoft recommended security configurations and compare them against other recommendations/settings.
According to Microsoft, these are they key differences between the new Windows 10 Version 1709 security baseline and the one which was released earlier this year alongside of Windows 10 Version 1703 (aka the Creators Update).
- Implementing Attack Surface Reduction rules within Windows Defender Exploit Guard. Exploit Guard is a new feature of v1709 that helps prevent a variety of actions often used by malware. You can read more about Exploit Guard here: Reduce attack surfaces with Windows Defender Exploit Guard. Note that for this draft, we are enabling “block” mode for all of these settings. We are taking a particularly careful look at the “Block office applications from injecting into other process;” if it creates compatibility problems then we might change the baseline recommendation to “audit” mode for that setting. Please let us know what you observe with this draft baseline.
- Enabling Exploit Guard’s Network Protection feature to prevent any application from accessing web sites identified as dangerous, including those hosting phishing scams and malware. This extends the type of protection offered by SmartScreen to all programs, including third-party browsers.
- Enabling a new setting that prevents users from making changes to the Exploit protection settings area in the Windows Defender Security Center.
For more information about these baselines and using them in your own organization be sure to visit the Windows Security Baselines site.
Also provided through the Microsoft Download Center is a full package of Administrative Templates (.admx files) that can be used with Group Policy as is or modified to fit your organizations needs as you test and roll out Windows 10 Version 1709.