A Security Baseline is an additional set of security enhancements that can be added to the original security protocols already in place in Windows. This is especially useful for the companies and organizations that prefer to take more control of their virtual security.
This Baseline adds ransomware protection for your operating system and other new policies discussed below.
Table of Contents
New in Windows 10 Version 21H2 Security Baseline
Removed Microsoft Edge Legacy Policies
Since Microsoft Edge Legacy had reached the end of support earlier this year, Windows 10 v21H2 came with only Edge Chromium. Therefore, policies for Edge Legacy have not been included with this Security Baseline.
Restrict Printer Driver Installation
Sysadmins can now prevent users with administrative rights from installing printer drivers. This addition has been included in light of a remote code execution vulnerability (CVE-2021-34527) codenamed “PrintNightmare.”
System administrators can find the Group Policy “Limits print driver installation to Administrators” at the following location within the Group Policy Editor after installing this Security Baseline:
Local Computer Policy >> Computer Configuration >> Administrative Templates >> Printers
When enabled, users with administrative privileges will no longer be able to update printer drivers.
Tamper Protection Included
Administrators can now secure their devices by enabling Microsoft Defender for Endpoint’s Tamper Protection. Enabling it will block human-operated ransomware attacks by making the necessary changes in Windows Registry so a program cannot make unauthorized changes to the operating system’s security features.
Enabling this option will prevent the attackers from performing the following tasks:
- Disable Virus and threat Protection
- Disable Real-Time Protection
- Switch off Behavior Monitoring
- Disable antivirus
- Remove security updates
- Disable automatic actions upon threat detection
You can enable Tamper Protection from the following path after installing this Security Baseline:
Settings app >> Update and Security >> Windows Security >> Virus and threat protection >> Virus and threat protection settings (Manage Settings)
Download and Install Windows 10 Version 21H2 Security Baseline
Follow the guide below to install the new Security Baseline on your Windows 10 device:
Check your current OS version by typing in winver in Run.
- Open the Microsoft Security Compliance Toolkit page and click Download.
- Check the box next to “Windows 10 version 21H2 Security Baseline.zip” and click Next.
- Windows 10 Security Baseline will now download. Since it is of only 1.2 MBs, it should be downloaded instantly. Extract the content of the zip file to a folder.
- Now navigate to the extracted folder using File Explorer and open the Scripts sub-folder. Here you will find 3 PowerShell ISE files. Right-click any one of those files and then click Run with PowerShell from the context menu.
- If prompted with a Smart Screen notification, click Run.
- If asked for a confirmation via PowerShell, type in “A” and press Enter to choose “Yes to All.”
- Now repeats steps 4, 5, and 6 for the the remaining 2 PowerShell ISE files.
Once all 3 files are executed via Windows PowerShell, Windows 10 version 21H2 Security Baseline will be installed successfully. You may now begin configuring the new changes introduced with this Baseline.
Security Baselines are an optional update for your operating system’s security. If you are an individual user and not part of an organization, you could also benefit from such Baselines by preventing other users on your PC from performing tasks that could potentially expose the system to outside threats.