gp-pack.com-BSI-BPOL_Windows_10_Sicherheitsmodul

Policies

Windows Settings

Security Settings

Account Policies/Password Policy

Policy	Setting
Enforce password history	24 passwords remembered
Maximum password age	42 days
Minimum password age	1 days
Minimum password length	14 characters
Password must meet complexity requirements	Enabled
Store passwords using reversible encryption	Disabled

Account Policies/Account Lockout Policy

Policy	Setting
Account lockout duration	15 minutes
Account lockout threshold	10 invalid logon attempts
Reset account lockout counter after	15 minutes

Local Policies/User Rights Assignment

Policy	Setting
Access Credential Manager as a trusted caller
Access this computer from the network	VORDEFINIERT\Administratoren
Act as part of the operating system
Adjust memory quotas for a process	NT-AUTORITÄT\Lokaler Dienst, NT-AUTORITÄT\Netzwerkdienst, VORDEFINIERT\Administratoren
Allow log on locally	VORDEFINIERT\Administratoren, VORDEFINIERT\Benutzer
Allow log on through Terminal Services	VORDEFINIERT\Remotedesktopbenutzer
Back up files and directories	VORDEFINIERT\Administratoren
Bypass traverse checking	Jeder, NT-AUTORITÄT\Lokaler Dienst, NT-AUTORITÄT\Netzwerkdienst, VORDEFINIERT\Administratoren, VORDEFINIERT\Benutzer, VORDEFINIERT\Sicherungs-Operatoren
Change the system time	NT-AUTORITÄT\Lokaler Dienst, VORDEFINIERT\Administratoren
Change the time zone	VORDEFINIERT\Administratoren, NT-AUTORITÄT\Lokaler Dienst
Create a pagefile	VORDEFINIERT\Administratoren
Create a token object
Create global objects	NT-AUTORITÄT\Lokaler Dienst, NT-AUTORITÄT\Netzwerkdienst, VORDEFINIERT\Administratoren, NT-AUTORITÄT\DIENST
Create permanent shared objects
Create symbolic links	VORDEFINIERT\Administratoren
Debug programs	VORDEFINIERT\Administratoren
Deny access to this computer from the network	NT-AUTORITÄT\Lokales Konto
Deny log on as a batch job	Gast
Deny log on as a service	Gast
Deny log on locally	Gast
Deny log on through Terminal Services	Gast, NT-AUTORITÄT\Lokales Konto
Enable computer and user accounts to be trusted for delegation
Force shutdown from a remote system	VORDEFINIERT\Administratoren
Generate security audits	NT-AUTORITÄT\Lokaler Dienst, NT-AUTORITÄT\Netzwerkdienst
Impersonate a client after authentication	NT-AUTORITÄT\Lokaler Dienst, NT-AUTORITÄT\Netzwerkdienst, VORDEFINIERT\Administratoren, NT-AUTORITÄT\DIENST
Increase a process working set	VORDEFINIERT\Benutzer
Increase scheduling priority	VORDEFINIERT\Administratoren
Load and unload device drivers	VORDEFINIERT\Administratoren
Lock pages in memory
Log on as a batch job	VORDEFINIERT\Administratoren
Log on as a service	No one (can cause serious problems!)
Manage auditing and security log	VORDEFINIERT\Administratoren
Modify an object label
Modify firmware environment values	VORDEFINIERT\Administratoren
Perform volume maintenance tasks	VORDEFINIERT\Administratoren
Profile single process	VORDEFINIERT\Administratoren
Profile system performance	VORDEFINIERT\Administratoren, NT SERVICE\WdiServiceHost
Remove computer from docking station	VORDEFINIERT\Administratoren, VORDEFINIERT\Benutzer
Replace a process level token	NT-AUTORITÄT\Lokaler Dienst, NT-AUTORITÄT\Netzwerkdienst
Restore files and directories	VORDEFINIERT\Administratoren
Shut down the system	VORDEFINIERT\Administratoren, VORDEFINIERT\Benutzer
Take ownership of files or other objects	VORDEFINIERT\Administratoren

Local Policies/Security Options

Accounts

Policy	Setting
Accounts: Administrator account status	Disabled
Accounts: Guest account status	Disabled
Accounts: Limit local account use of blank passwords to console logon only	Enabled
Accounts: Rename administrator account	"SetToNotEqualAdmin"
Accounts: Rename guest account	"SetToNotEqualGuest"

Domain Member

Policy	Setting
Domain member: Digitally encrypt or sign secure channel data (always)	Enabled
Domain member: Digitally encrypt secure channel data (when possible)	Enabled
Domain member: Digitally sign secure channel data (when possible)	Enabled
Domain member: Disable machine account password changes	Disabled
Domain member: Maximum machine account password age	42 days
Domain member: Require strong (Windows 2000 or later) session key	Enabled

Interactive Logon

Policy	Setting
Interactive logon: Do not display last user name	Enabled
Interactive logon: Do not require CTRL+ALT+DEL	Disabled
Interactive logon: Number of previous logons to cache (in case domain controller is not available)	0 logons
Interactive logon: Prompt user to change password before expiration	10 days
Interactive logon: Smart card removal behavior	Lock Workstation

Microsoft Network Client

Policy	Setting
Microsoft network client: Digitally sign communications (always)	Enabled
Microsoft network client: Digitally sign communications (if server agrees)	Enabled
Microsoft network client: Send unencrypted password to third-party SMB servers	Disabled

Microsoft Network Server

Policy	Setting
Microsoft network server: Amount of idle time required before suspending session	15 minutes
Microsoft network server: Digitally sign communications (always)	Enabled
Microsoft network server: Digitally sign communications (if client agrees)	Enabled
Microsoft network server: Disconnect clients when logon hours expire	Enabled

Network Access

Policy	Setting
Network access: Allow anonymous SID/Name translation	Disabled
Network access: Do not allow anonymous enumeration of SAM accounts	Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares	Enabled
Network access: Do not allow storage of passwords and credentials for network authentication	Enabled
Network access: Let Everyone permissions apply to anonymous users	Disabled
Network access: Named Pipes that can be accessed anonymously
Network access: Remotely accessible registry paths	System\CurrentControlSet\Control\ProductOptions, System\CurrentControlSet\Control\Server Applications, Software\Microsoft\Windows NT\CurrentVersion
Network access: Remotely accessible registry paths and sub-paths	System\CurrentControlSet\Control\Print\Printers, System\CurrentControlSet\Services\Eventlog, Software\Microsoft\OLAP Server, Software\Microsoft\Windows NT\CurrentVersion\Print, Software\Microsoft\Windows NT\CurrentVersion\Windows, System\CurrentControlSet\Control\ContentIndex, System\CurrentControlSet\Control\Terminal Server, System\CurrentControlSet\Control\Terminal Server\UserConﬁg, System\CurrentControlSet\Control\Terminal Server\DefaultUserConﬁguration, Software\Microsoft\Windows NT\CurrentVersion\Perﬂib, System\CurrentControlSet\Services\SysmonLog
Network access: Restrict anonymous access to Named Pipes and Shares	Enabled
Network access: Shares that can be accessed anonymously
Network access: Sharing and security model for local accounts	Classic - local users authenticate as themselves

Network Security

Policy

Setting

Network security: Do not store LAN Manager hash value on next password change

Enabled

Network security: Force logoff when logon hours expire

Enabled

Network security: LAN Manager authentication level

Send NTLMv2 response only. Refuse LM & NTLM

Network security: LDAP client signing requirements

Negotiate signing

Network security: Minimum session security for NTLM SSP based (including secure RPC) clients

Enabled

Require NTLMv2 session security	Enabled
Require 128-bit encryption	Enabled

Network security: Minimum session security for NTLM SSP based (including secure RPC) servers

Enabled

Require NTLMv2 session security	Enabled
Require 128-bit encryption	Enabled

System Cryptography

Policy	Setting
System cryptography: Force strong key protection for user keys stored on the computer	User must enter a password each time they use a key

System Objects

Policy	Setting
System objects: Require case insensitivity for non-Windows subsystems	Enabled
System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links)	Enabled

User Account Control

Policy	Setting
User Account Control: Admin Approval Mode for the Built-in Administrator account	Enabled
User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop	Disabled
User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode	Prompt for consent on the secure desktop
User Account Control: Behavior of the elevation prompt for standard users	Automatically deny elevation requests
User Account Control: Detect application installations and prompt for elevation	Enabled
User Account Control: Only elevate UIAccess applications that are installed in secure locations	Enabled
User Account Control: Run all administrators in Admin Approval Mode	Enabled
User Account Control: Switch to the secure desktop when prompting for elevation	Enabled
User Account Control: Virtualize file and registry write failures to per-user locations	Enabled

Other

Policy

Setting

Accounts: Block Microsoft accounts

Users can't add or log on with Microsoft accounts

Interactive logon: Machine account lockout threshold

4 invalid logon attempts

Interactive logon: Machine inactivity limit

900 seconds

Microsoft network server: Server SPN target name validation level

Required from client

Network security: Allow Local System to use computer identity for NTLM

Enabled

Network security: Allow LocalSystem NULL session fallback

Disabled

Network security: Allow PKU2U authentication requests to this computer to use online identities.

Disabled

Network security: Configure encryption types allowed for Kerberos

Enabled

DES_CBC_CRC	Disabled
DES_CBC_MD5	Disabled
RC4_HMAC_MD5	Enabled
AES128_HMAC_SHA1	Enabled
AES256_HMAC_SHA1	Enabled
Future encryption types	Enabled

Advanced Audit Configuration

Account Logon

Policy	Setting
Audit Credential Validation	Success, Failure

Account Management

Policy	Setting
Audit Application Group Management	Success, Failure
Audit Computer Account Management	Success, Failure
Audit Other Account Management Events	Success, Failure
Audit Security Group Management	Success, Failure
Audit User Account Management	Success, Failure

Detailed Tracking

Policy	Setting
Audit PNP Activity	Success
Audit Process Creation	Success

Logon/Logoff

Policy	Setting
Audit Account Lockout	Success
Audit Logoff	Success
Audit Logon	Success, Failure
Audit Other Logon/Logoff Events	Success, Failure
Audit Special Logon	Success, Failure

Object Access

Policy	Setting
Audit Removable Storage	Success, Failure

Policy Change

Policy	Setting
Audit Audit Policy Change	Success, Failure

Privilege Use

Policy	Setting
Audit Sensitive Privilege Use	Success, Failure

System

Policy	Setting
Audit IPsec Driver	Success, Failure
Audit Other System Events	Success, Failure
Audit Security State Change	Success, Failure
Audit System Integrity	Success, Failure

Administrative Templates

Policy definitions (ADMX files) retrieved from the central store.

Control Panel/Personalization

Policy	Setting	Comment
Prevent enabling lock screen camera	Enabled
Prevent enabling lock screen slide show	Enabled

Control Panel/Regional and Language Options

Policy	Setting	Comment
Allow input personalization	Disabled

LAPS

Policy

Setting

Comment

Do not allow password expiration time longer than required by policy

Enabled

Enable local admin password management

Enabled

Password Settings

Enabled

Password Complexity	Large letters + small letters + numbers + specials
Password Length	15
Password Age (Days)	42

Network/IPv6 Configuration

Policy

Setting

Comment

IPv6 Configuration Policy

Enabled

08202-0125: The recommended state for this setting is: DisabledComponents - 0xff (255)

IPv6 Configuration

Disable all IPv6 components

Network/Lanman Workstation

Policy	Setting	Comment
Enable insecure guest logons	Disabled

Network/Link-Layer Topology Discovery

Policy	Setting	Comment
Turn on Mapper I/O (LLTDIO) driver	Disabled
Turn on Responder (RSPNDR) driver	Disabled

Network/Microsoft Peer-to-Peer Networking Services

Policy	Setting	Comment
Turn off Microsoft Peer-to-Peer Networking Services	Enabled

Network/Network Connections

Policy	Setting	Comment
Prohibit installation and configuration of Network Bridge on your DNS domain network	Enabled
Require domain users to elevate when setting a network's location	Enabled

Network/Windows Connect Now

Policy	Setting	Comment
Configuration of wireless settings using Windows Connect Now	Disabled
Prohibit access of the Windows Connect Now wizards	Enabled

Network/Windows Connection Manager

Policy	Setting	Comment
Minimize the number of simultaneous connections to the Internet or a Windows Domain	Enabled
Prohibit connection to non-domain networks when connected to domain authenticated network	Enabled

SCM: Pass the Hash Mitigations

Policy	Setting	Comment
Apply UAC restrictions to local accounts on network logons	Enabled
WDigest Authentication (disabling may require KB2871997)	Enabled

SCM: Wi-Fi Sense

Policy	Setting	Comment
Disable Wi-Fi Sense	Enabled

System/Audit Process Creation

Policy	Setting	Comment
Include command line in process creation events	Disabled

System/Device Guard

Policy

Setting

Comment

Turn On Virtualization Based Security

Enabled

Select Platform Security Level:	Secure Boot and DMA Protection
Virtualization Based Protection of Code Integrity:	Enabled without lock
Require UEFI Memory Attributes Table	Disabled
Credential Guard Configuration:	Enabled with UEFI lock

System/Device Installation/Device Installation Restrictions

Policy

Setting

Comment

Prevent installation of devices that match any of these device IDs

Enabled

Prevent installation of devices that match any of these Device IDs:
PCI\CC_0C0A

To create a list of devices, click Show. In the Show Contents dialog box, in the Value column,

type a Plug and Play hardware ID or compatible ID

(for example, gendisk, USB\COMPOSITE, USB\Class_ff).

Also apply to matching devices that are already installed.

Enabled

Policy

Setting

Comment

Prevent installation of devices using drivers that match these device setup classes

Enabled

Prevent installation of devices using drivers for these device setup classes:
\d48179be-ec20-1 1d1-b6b8-00c04fa3 72a7\

To create a list of device classes, click Show. In the Show Contents dialog box, in the Value column,

type a GUID that represents a device setup class

(for example, {25DBCE51-6C8F-4A72-8A6D-B54C2B4FC835}).

Also apply to matching devices that are already installed.

Enabled

System/Early Launch Antimalware

Policy

Setting

Comment

Boot-Start Driver Initialization Policy

Enabled

Choose the boot-start drivers that can be initialized:

Good only

System/Group Policy

Policy

Setting

Comment

Configure registry policy processing

Enabled

a) Disable CSE Regsitry run during session (manually gpupdate aswell!)
b) as long there are no Admins, there can not be changes.

Do not apply during periodic background processing	Enabled
Process even if the Group Policy objects have not changed	Enabled

Policy

Setting

Comment

Turn off background refresh of Group Policy

Disabled

08202-0145 disables Background processing for CSE Registry(!)

System/Internet Communication Management/Internet Communication settings

Policy	Setting	Comment
Turn off access to the Store	Enabled
Turn off downloading of print drivers over HTTP	Enabled
Turn off handwriting personalization data sharing	Enabled
Turn off handwriting recognition error reporting	Enabled
Turn off Internet Connection Wizard if URL connection is referring to Microsoft.com	Enabled
Turn off Internet download for Web publishing and online ordering wizards	Enabled
Turn off printing over HTTP	Enabled
Turn off Registration if URL connection is referring to Microsoft.com	Enabled
Turn off Search Companion content file updates	Enabled
Turn off the "Order Prints" picture task	Enabled
Turn off the "Publish to Web" task for files and folders	Enabled
Turn off the Windows Messenger Customer Experience Improvement Program	Enabled	08202-0116 (Messenger does not exist in Windows 10)
Turn off Windows Customer Experience Improvement Program	Enabled
Turn off Windows Error Reporting	Enabled

System/Locale Services

Policy	Setting	Comment
Disallow copying of user input methods to the system account for sign-in	Enabled

System/Logon

Policy	Setting	Comment
Do not display network selection UI	Enabled
Do not enumerate connected users on domain-joined computers	Enabled
Enumerate local users on domain-joined computers	Disabled
Turn off app notifications on the lock screen	Enabled
Turn off picture password sign-in	Enabled
Turn on convenience PIN sign-in	Disabled

System/Mitigation Options

Policy

Setting

Comment

Untrusted Font Blocking

Enabled

Mitigation Options

Block untrusted fonts and log events

System/Power Management/Sleep Settings

Policy	Setting	Comment
Allow standby states (S1-S3) when sleeping (on battery)	Disabled
Allow standby states (S1-S3) when sleeping (plugged in)	Disabled
Require a password when a computer wakes (on battery)	Enabled
Require a password when a computer wakes (plugged in)	Enabled

System/Remote Assistance

Policy	Setting	Comment
Configure Offer Remote Assistance	Disabled
Configure Solicited Remote Assistance	Disabled

System/Remote Procedure Call

Policy

Setting

Comment

Enable RPC Endpoint Mapper Client Authentication

Enabled

Restrict Unauthenticated RPC clients

Enabled

RPC Runtime Unauthenticated Client Restriction to Apply:

Authenticated

System/Troubleshooting and Diagnostics/Microsoft Support Diagnostic Tool

Policy	Setting	Comment
Microsoft Support Diagnostic Tool: Turn on MSDT interactive communication with support provider	Disabled

System/Troubleshooting and Diagnostics/Windows Performance PerfTrack

Policy	Setting	Comment
Enable/Disable PerfTrack	Disabled

System/Windows Time Service/Time Providers

Policy	Setting	Comment
Enable Windows NTP Client	Enabled
Enable Windows NTP Server	Disabled

Windows Components/App Package Deployment

Policy	Setting	Comment
Allow a Windows app to share application data between users	Disabled

Windows Components/App Privacy

Policy

Setting

Comment

Let Windows apps access account information

Enabled

Default for all apps:	Force Deny
Put user in control of these specific apps (use Package Family Names):

Force allow these specific apps (use Package Family Names):

Force deny these specific apps (use Package Family Names):

Policy

Setting

Comment

Let Windows apps access call history

Enabled

Default for all apps:	Force Deny
Put user in control of these specific apps (use Package Family Names):

Force allow these specific apps (use Package Family Names):

Force deny these specific apps (use Package Family Names):

Policy

Setting

Comment

Let Windows apps access contacts

Enabled

Default for all apps:	Force Deny
Put user in control of these specific apps (use Package Family Names):

Force allow these specific apps (use Package Family Names):

Force deny these specific apps (use Package Family Names):

Policy

Setting

Comment

Let Windows apps access email

Enabled

Default for all apps:	Force Deny
Put user in control of these specific apps (use Package Family Names):

Force allow these specific apps (use Package Family Names):

Force deny these specific apps (use Package Family Names):

Policy

Setting

Comment

Let Windows apps access location

Enabled

Default for all apps:	Force Deny
Put user in control of these specific apps (use Package Family Names):

Force allow these specific apps (use Package Family Names):

Force deny these specific apps (use Package Family Names):

Policy

Setting

Comment

Let Windows apps access messaging

Enabled

Default for all apps:	Force Deny
Put user in control of these specific apps (use Package Family Names):

Force allow these specific apps (use Package Family Names):

Force deny these specific apps (use Package Family Names):

Policy

Setting

Comment

Let Windows apps access motion

Enabled

Default for all apps:	Force Deny
Put user in control of these specific apps (use Package Family Names):

Force allow these specific apps (use Package Family Names):

Force deny these specific apps (use Package Family Names):

Policy

Setting

Comment

Let Windows apps access notifications

Enabled

Default for all apps:	Force Deny
Put user in control of these specific apps (use Package Family Names):

Force allow these specific apps (use Package Family Names):

Force deny these specific apps (use Package Family Names):

Policy

Setting

Comment

Let Windows apps access the calendar

Enabled

Default for all apps:	Force Deny
Put user in control of these specific apps (use Package Family Names):

Force allow these specific apps (use Package Family Names):

Force deny these specific apps (use Package Family Names):

Policy

Setting

Comment

Let Windows apps access the camera

Enabled

Default for all apps:	Force Deny
Put user in control of these specific apps (use Package Family Names):

Force allow these specific apps (use Package Family Names):

Force deny these specific apps (use Package Family Names):

Policy

Setting

Comment

Let Windows apps access the microphone

Enabled

Default for all apps:	Force Deny
Put user in control of these specific apps (use Package Family Names):

Force allow these specific apps (use Package Family Names):

Force deny these specific apps (use Package Family Names):

Policy

Setting

Comment

Let Windows apps access trusted devices

Enabled

Default for all apps:	Force Deny
Put user in control of these specific apps (use Package Family Names):

Force allow these specific apps (use Package Family Names):

Force deny these specific apps (use Package Family Names):

Policy

Setting

Comment

Let Windows apps control radios

Enabled

Default for all apps:	Force Deny
Put user in control of these specific apps (use Package Family Names):

Force allow these specific apps (use Package Family Names):

Force deny these specific apps (use Package Family Names):

Policy

Setting

Comment

Let Windows apps make phone calls

Enabled

Default for all apps:	Force Deny
Put user in control of these specific apps (use Package Family Names):

Force allow these specific apps (use Package Family Names):

Force deny these specific apps (use Package Family Names):

Windows Components/App runtime

Policy	Setting	Comment
Allow Microsoft accounts to be optional	Enabled
Block launching Windows Store apps with Windows Runtime API access from hosted content.	Enabled

Windows Components/AutoPlay Policies

Policy

Setting

Comment

Disallow Autoplay for non-volume devices

Enabled

Set the default behavior for AutoRun

Enabled

Default AutoRun Behavior

Do not execute any autorun commands

Windows Components/Biometrics/Facial Features

Policy	Setting	Comment
Configure enhanced anti-spoofing	Enabled

Windows Components/BitLocker Drive Encryption

Policy

Setting

Comment

Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)

Enabled

Select the encryption method for operating system drives:	XTS-AES 256-bit
Select the encryption method for fixed data drives:	XTS-AES 256-bit
Select the encryption method for removable data drives:	XTS-AES 256-bit

Windows Components/BitLocker Drive Encryption/Fixed Data Drives

Policy

Setting

Comment

Allow access to BitLocker-protected fixed data drives from earlier versions of Windows

Disabled

Choose how BitLocker-protected fixed drives can be recovered

Enabled

Allow data recovery agent	Enabled
Configure user storage of BitLocker recovery information:
	Allow 48-digit recovery password
	Allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizard	Enabled
Save BitLocker recovery information to AD DS for fixed data drives	Enabled
Configure storage of BitLocker recovery information to AD DS:	Backup recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for fixed data drives	Enabled

Policy

Setting

Comment

Configure use of hardware-based encryption for fixed data drives

Enabled

Use BitLocker software-based encryption when hardware encryption is not available	Enabled
Restrict encryption algorithms and cipher suites allowed for hardware-based encryption	Disabled
Restrict crypto algorithms or cipher suites to the following:	2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42

Policy

Setting

Comment

Configure use of passwords for fixed data drives

Disabled

Configure use of smart cards on fixed data drives

Enabled

Require use of smart cards on fixed data drives

Disabled

Windows Components/BitLocker Drive Encryption/Operating System Drives

Policy

Setting

Comment

Allow enhanced PINs for startup

Enabled

Allow Secure Boot for integrity validation

Enabled

Choose how BitLocker-protected operating system drives can be recovered

Enabled

Allow data recovery agent	Enabled
Configure user storage of BitLocker recovery information:
	Require 48-digit recovery password
	Do not allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizard	Enabled
Save BitLocker recovery information to AD DS for operating system drives	Enabled
Configure storage of BitLocker recovery information to AD DS:	Store recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives	Enabled

Policy

Setting

Comment

Configure minimum PIN length for startup

Enabled

Minimum characters:

Policy

Setting

Comment

Configure use of hardware-based encryption for operating system drives

Enabled

Use BitLocker software-based encryption when hardware encryption is not available	Enabled
Restrict encryption algorithms and cipher suites allowed for hardware-based encryption	Disabled
Restrict crypto algorithms or cipher suites to the following:	2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42

Policy

Setting

Comment

Configure use of passwords for operating system drives

Disabled

Require additional authentication at startup

Enabled

Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)	Disabled
Settings for computers with a TPM:
Configure TPM startup:	Do not allow TPM
Configure TPM startup PIN:	Require startup PIN with TPM
Configure TPM startup key:	Do not allow startup key with TPM
Configure TPM startup key and PIN:	Allow startup key and PIN with TPM

Windows Components/BitLocker Drive Encryption/Removable Data Drives

Policy

Setting

Comment

Allow access to BitLocker-protected removable data drives from earlier versions of Windows

Disabled

Choose how BitLocker-protected removable drives can be recovered

Enabled

Allow data recovery agent	Enabled
Configure user storage of BitLocker recovery information:
	Do not allow 48-digit recovery password
	Do not allow 256-bit recovery key
Omit recovery options from the BitLocker setup wizard	Enabled
Save BitLocker recovery information to AD DS for removable data drives	Enabled
Configure storage of BitLocker recovery information to AD DS:	Backup recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for removable data drives	Enabled

Policy

Setting

Comment

Configure use of hardware-based encryption for removable data drives

Enabled

Use BitLocker software-based encryption when hardware encryption is not available	Enabled
Restrict encryption algorithms and cipher suites allowed for hardware-based encryption	Disabled
Restrict crypto algorithms or cipher suites to the following:	2.16.840.1.101.3.4.1.2;2.16.840.1.101.3.4.1.42

Policy

Setting

Comment

Configure use of passwords for removable data drives

Disabled

Configure use of smart cards on removable data drives

Enabled

Require use of smart cards on removable data drives

Disabled

Policy

Setting

Comment

Deny write access to removable drives not protected by BitLocker

Enabled

Do not allow write access to devices configured in another organization

Disabled

Windows Components/Cloud Content

Policy	Setting	Comment
Turn off Microsoft consumer experiences	Enabled

Windows Components/Credential User Interface

Policy	Setting	Comment
Do not display the password reveal button	Enabled
Enumerate administrator accounts on elevation	Disabled

Windows Components/Data Collection and Preview Builds

Policy

Setting

Comment

Allow Telemetry

Enabled

0 - Security [Enterprise Only]

Policy

Setting

Comment

Disable pre-release features or settings

Disabled

Do not show feedback notifications

Enabled

Toggle user control over Insider builds

Disabled

Windows Components/Delivery Optimization

Policy	Setting	Comment
Download Mode	Disabled

Windows Components/EMET

Policy

Setting

Comment

Default Action and Mitigation Settings

Enabled

Deep Hooks:	Enabled
Anti Detours:	Enabled
Banned Functions:	Enabled
Exploit Action:	User Configured

Policy

Setting

Comment

System ASLR

Enabled

ASLR Setting:

Application Opt-In

Policy

Setting

Comment

System DEP

Enabled

DEP Setting:

Application Opt-Out

Policy

Setting

Comment

System SEHOP

Enabled

SEHOP Setting:

Application Opt-Out

Windows Components/Event Log Service/Application

Policy

Setting

Comment

Control Event Log behavior when the log file reaches its maximum size

Disabled

Specify the maximum log file size (KB)

Enabled

Maximum Log Size (KB)

32768

Windows Components/Event Log Service/Security

Policy	Setting	Comment
Control Event Log behavior when the log file reaches its maximum size	Disabled

Windows Components/Event Log Service/Setup

Policy

Setting

Comment

Control Event Log behavior when the log file reaches its maximum size

Disabled

Specify the maximum log file size (KB)

Enabled

Maximum Log Size (KB)

32768

Windows Components/Event Log Service/System

Policy

Setting

Comment

Control Event Log behavior when the log file reaches its maximum size

Disabled

Specify the maximum log file size (KB)

Enabled

Maximum Log Size (KB)

196608

Windows Components/File Explorer

Policy	Setting	Comment
Turn off Data Execution Prevention for Explorer	Disabled
Turn off heap termination on corruption	Enabled
Turn off shell protocol protected mode	Disabled

Windows Components/HomeGroup

Policy	Setting	Comment
Prevent the computer from joining a homegroup	Enabled	Homegroup Feature removed in 1803

Windows Components/Internet Explorer

Policy

Setting

Comment

Prevent bypassing SmartScreen Filter warnings

Enabled

Prevent managing SmartScreen Filter

Enabled

Select SmartScreen Filter mode

Windows Components/Internet Explorer/Internet Control Panel/Security Page/Internet Zone

Policy

Setting

Comment

Turn on SmartScreen Filter scan

Enabled

Use SmartScreen Filter

Enable

Windows Components/Location and Sensors

Policy	Setting	Comment
Turn off location	Enabled

Windows Components/Microsoft Edge

Policy

Setting

Comment

Allow InPrivate browsing

Disabled

Configure cookies

Enabled

Configure Cookies

Block only 3rd-party cookies

Policy

Setting

Comment

Configure Password Manager

Disabled

Configure Pop-up Blocker

Enabled

Configure search suggestions in Address bar

Disabled

Prevent bypassing Windows Defender SmartScreen prompts for files

Enabled

Prior 1607, name was: Don't allow SmartScreen Filter warning overrides for unverified files

Prevent using Localhost IP address for WebRTC

Enabled

Windows Components/OneDrive

Policy	Setting	Comment
Prevent the usage of OneDrive for file storage	Enabled

Windows Components/Remote Desktop Services/Remote Desktop Connection Client

Policy	Setting	Comment
Do not allow passwords to be saved	Enabled

Windows Components/Remote Desktop Services/Remote Desktop Session Host/Connections

Policy	Setting	Comment
Allow users to connect remotely by using Remote Desktop Services	Disabled

Windows Components/Remote Desktop Services/Remote Desktop Session Host/Device and Resource Redirection

Policy	Setting	Comment
Do not allow COM port redirection	Enabled
Do not allow drive redirection	Enabled
Do not allow LPT port redirection	Enabled
Do not allow supported Plug and Play device redirection	Enabled

Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security

Policy

Setting

Comment

Always prompt for password upon connection

Enabled

Require secure RPC communication

Enabled

Set client connection encryption level

Enabled

Encryption Level	High Level
Choose the encryption level from the drop-down list.

Windows Components/Remote Desktop Services/Remote Desktop Session Host/Session Time Limits

Policy

Setting

Comment

Set time limit for active but idle Remote Desktop Services sessions

Enabled

Idle session limit:

5 minutes

Policy

Setting

Comment

Set time limit for disconnected sessions

Enabled

End a disconnected session

1 minute

Windows Components/Remote Desktop Services/Remote Desktop Session Host/Temporary folders

Policy	Setting	Comment
Do not delete temp folders upon exit	Enabled
Do not use temporary folders per session	Disabled

Windows Components/RSS Feeds

Policy	Setting	Comment
Prevent downloading of enclosures	Enabled

Windows Components/Search

Policy	Setting	Comment
Allow Cortana	Disabled
Allow indexing of encrypted files	Disabled
Allow search and Cortana to use location	Disabled

Windows Components/Software Protection Platform

Policy	Setting	Comment
Turn off KMS Client Online AVS Validation	Enabled

Windows Components/Store

Policy	Setting	Comment
Disable all apps from Windows Store	Enabled
Turn off Automatic Download and Install of updates	Enabled
Turn off the offer to update to the latest version of Windows	Enabled
Turn off the Store application	Enabled

Windows Components/Windows Defender Antivirus/MAPS

Policy

Setting

Comment

Join Microsoft MAPS

Enabled

Join Microsoft MAPS

Disabled

Windows Components/Windows Defender SmartScreen/Explorer

Policy

Setting

Comment

Configure Windows Defender SmartScreen

Enabled

Pick one of the following settings:

Warn and prevent bypass

Windows Components/Windows Defender SmartScreen/Microsoft Edge

Policy	Setting	Comment
Configure Windows Defender SmartScreen	Enabled

Windows Components/Windows Error Reporting

Policy	Setting	Comment
Disable Windows Error Reporting	Enabled

Windows Components/Windows Game Recording and Broadcasting

Policy	Setting	Comment
Enables or disables Windows Game Recording and Broadcasting	Disabled

Windows Components/Windows Installer

Policy	Setting	Comment
Allow user control over installs	Disabled
Always install with elevated privileges	Disabled
Prevent Internet Explorer security prompt for Windows Installer scripts	Disabled

Windows Components/Windows Logon Options

Policy	Setting	Comment
Sign-in last interactive user automatically after a system-initiated restart	Disabled

Windows Components/Windows PowerShell

Policy

Setting

Comment

Turn on PowerShell Script Block Logging

Enabled

Log script block invocation start / stop events:

Disabled

Policy

Setting

Comment

Turn on PowerShell Transcription

Disabled

Windows Components/Windows Remote Management (WinRM)/WinRM Client

Policy	Setting	Comment
Allow Basic authentication	Disabled
Allow unencrypted traffic	Disabled
Disallow Digest authentication	Enabled

Windows Components/Windows Remote Management (WinRM)/WinRM Service

Policy	Setting	Comment
Allow Basic authentication	Disabled
Allow unencrypted traffic	Disabled
Disallow WinRM from storing RunAs credentials	Enabled

Windows Components/Windows Remote Shell

Policy	Setting	Comment
Allow Remote Shell Access	Disabled

Windows Components/Windows Update

Policy

Setting

Comment

Configure Automatic Updates

Enabled

Configure automatic updating:	4 - Auto download and schedule the install
The following settings are only required and applicable if 4 is selected.
Install during automatic maintenance	Disabled
Scheduled install day:	0 - Every day
Scheduled install time:	03:00
If you have selected “4 – Auto download and schedule the install” for your scheduled install day and specified a schedule, you also have the option to limit updating to a weekly, bi-weekly or monthly occurrence, using the options below:
Every week	Enabled
First week of the month	Disabled
Second week of the month	Disabled
Third week of the month	Disabled
Fourth week of the month	Disabled

Install updates for other Microsoft products	Disabled

Policy

Setting

Comment

No auto-restart with logged on users for scheduled automatic updates installations

Disabled

Windows Components/Windows Update/Windows Update for Business

Policy

Setting

Comment

Select when Preview Builds and Feature Updates are received

Enabled

08202-0039: Is ’Defer Upgrades and Updates’ set to ’Enabled: 1 months, 0 weeks

Select the Windows readiness level for the updates you want to receive:	Semi-Annual Channel (Targeted)
After a Preview Build or Feature Update is released, defer receiving it for this many days:	31
Pause Preview Builds or Feature Updates starting:
(format yyyy-mm-dd example: 2016-10-30)

gp-pack.com-BSI-BPOL_Windows_10_Sicherheitsmodul_Bundespolizei