Windows 10 2004 security baseline has 4 settings changes

by Don Sharpe
Don Sharpe
Don Sharpe
Don has been writing professionally for over 10 years now, but his passion for the written word started back in his elementary school days. His work has been... read more
Affiliate Disclosure
  • Microsoft announced new changes to Windows 10 2004 security baseline.
  • The updates touch on password length policies, Microsoft Defender ATP, and more Windows security features.
  • To discover other ways to optimally secure your PC, check out the Windows 10 Security section.
  • You can always stop by the Windows 10 for news and all matters updates pertaining to the operating system and Windows apps, including Microsoft Office.
Windows baseline security changes

Applying best practices to your Windows 10 security is no easy task, even with all the antivirus tools available to you, including Microsoft Defender Advanced Threat Protection (MDATP).

But the Microsoft security baseline can make things a lot easier for you when you’re configuring your environment to minimize its attack surface.

Well, Microsoft recently released the fundamental security configuration settings for Windows 10 and Windows Server 2004.

4 configuration settings updates for Windows 10 2004 security baseline

1. Extended Protection for LDAP Authentication

Microsoft has updated the MS Security Guide to make Extended Protection for LDAP Authentication part of Windows. The setting isn’t new though as it came with the Windows Server v1809 Domain Controller baseline.

With the latest security baseline changes, you can use Extended Protection for LDAP Authentication without having to create a custom ADMX. In addition, the policy is available to all Active Directory domain controllers.

The Extended Protection for LDAP Authentication baseline value remains the same though. Only its location has changed.

However, you need to have installed the March 10, 2020 security patch to configure the policy on Windows 10.

2. Microsoft Defender ATP file hash

MDATP users now have the option to turn on file hashing and enhance blocking for custom indicators in the Windows antivirus.

When the new setting is on, Windows computes a file hash for every executable file that MDATP scans.

But there’s a catch—MDATP file hashing may slow down your PC. It’ll certainly take a toll on your machine if you frequently install or develop executables or update your applications.

Microsoft explains:

The scenarios where you may want to test more thoroughly for performance include devices where you frequently create new executable content (for example, developers) or where you install or update applications extremely frequently.

The tool mitigates the performance impact by generating file hashes only once for each scanned executable. Still, you may want to keep the new setting off if you don’t use Microsoft Defender ATP.

If you really have to use the setting, Microsoft recommends that you implement it in a controlled manner. This will allow you to do a thorough performance cost analysis.

3. Windows 10 Account Password Length

Microsoft appears very committed to building systems that require no passwords to access. You can tell that from the latest improvements on features like Windows Hello.

After deprecating the Windows 10 account password expiry policy, the Redmond tech giant introduced two new password security settings.

Relax minimum password length limits is one of the new settings, and it allows admins to enforce user password lengths of up to 128 characters. Before this update, users couldn’t set passwords longer than 14 characters.

Longer passwords are obviously more difficult to guess and are an important safeguard against brute force attacks.

Microsoft says that the new setting may be incompatible with existing systems and processes, however. That’s why there’s the new Minimum password length audit setting.

The additional feature lets you assess the impact of changing your password length policy. Apart from that, it includes three new SAM events for configuration, errors, and awareness.

This way, you’re less likely to change your password length policies oblivious of the damage the changes may cause to other Windows systems.

Nonetheless, the new policy isn’t part of the security baseline for Windows 10 2004.

4. Behavior Monitoring

Microsoft doesn’t think Behavior Monitoring requires enforcement, so it removed it from the security baseline. As a result, the feature is no longer in its usual location.

Microsoft added:

We are removing Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\Turn on behavior monitoring.

Besides announcing the security baseline changes, Microsoft revealed that it will be releasing updates for LGPO and Policy Analyzer.

What’s your take on the latest Windows 10 security baseline updates? Please share your thoughts in the comments section below.

This article covers:Topics: