Microsoft has released its Windows 11 Security Baseline along with the operating system’s official launch on 5 October 2021. You can download and install the Security Baseline using the guide provided down below.
A Security Baseline is an additional set of security enhancements that can be added to the original security protocols already in place in Windows. This is especially useful for the companies and organizations that prefer to take more control of their virtual security.
If you are a system administrator, installing a Security Baseline on a Windows 11 computer will add additional options to the Group Policy so you can control and push those settings to other devices on the entire network.
Table of Contents
The Windows 11 Security Baseline has been released as a component of Microsoft Security Compliance Toolkit 1.0.
Here is how you can download and install Windows 11 Security Baseline.
Download and install Windows 11 Security Baseline
Follow the guide below to install the new Security Baseline on your Windows 11 device:
- Open the Microsoft Security Compliance Toolkit page and click Download.
- Check the box next to “Windows 11 Security Baseline.zip” and click Next.
- Windows 11 Security Baseline will now download. Since it is of only 1.2 MBs, it should be downloaded instantly. Extract the content of the zip file to a folder.
- Now navigate to the extracted folder and open the Scripts sub-folder. Here you will find 3 PowerShell ISE files. Right-click each of those files one after the other and then click Run with PowerShell from the context menu.
- The scripts will now run automatically. Wait for the PowerShell window to close on its own.
Once all 3 files are executed via Windows PowerShell, Windows 11 Security Baseline will be installed successfully.
Let us now see what changes this baseline introduces for Windows 11
What’s new in Windows 11 Security Baseline
Microsoft has added a few additional security enhancements to Windows 11 via its Security Baseline, which adds 2 new settings to its controls, a new Windows Defender setting, and customized settings regarding printer driver installation restrictions.
This baseline also removes all settings for Microsoft Edge’s legacy, since Windows 11 comes with preinstalled Microsoft Chromium-based Edge. Here are the details:
Note: These are the same Security Baselines also incorporated in Windows Server 2022.
Script Scanning is always enabled
Script Scanning is a method used by Windows to scan the scripts before they are executed. This was a parity gap between Group Policy and Mobile Device Management (MDM). Since there is no more parity gap, Script Scanning will now always be enabled.
The Group Policy “Turn on script scanning” can be found at the following path within the Group Policy Editor (gpedit.msc):
Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Antivirus >> Real-time protection
Restrict Print Driver installation to Administrators
Group Policy Object “Limit print driver installation to Administrator” has now been enforced to enable. This policy can be found on the following path within the Group Policy Editor:
Computer Configuration >> Administrative Templates >> Printers
This setting is especially useful to avoid the Print Nightmare vulnerability in Windows printing system which could compromise the system and give control to a hacker very easily.
Removal of Microsoft Edge Legacy settings
Since Microsoft Edge Legacy has been replaced by Microsoft Chromium-based Edge, and the legacy’s support had also ended on 9 March 2021, Microsoft also removes all associated settings as well.
Since the settings won’t be required any longer, they can be replaced by Microsoft Edge v93 Security Baseline, which is also a part of Microsoft Security Compliance Toolkit 1.0.
You can download Microsoft Edge Security Compliance separately by selecting the aligning checkbox.
Enable Tamper Protection
Tamper Protection is a feature of Microsoft Defender that prevents malicious scripts and programs to tamper with the core values of the Defender itself. This prevents attackers from manipulating Windows Registry values.
You can now turn this feature on by following these steps:
Navigate to the following:
Settings app >> Privacy and Security >> Windows Security >> Virus and threat protection
Now scroll down and click Manage settings under Virus and threat protection settings.
Now scroll down again and click the slider beneath Tamper Protection to turn it on.
Closing words
Windows 11 has only just launched and we are not sure just how safe it is yet. Although Microsoft has published a very detailed Windows 11 Security Book that illustrates how Windows 11 is designed around security methodologies, we have not seen Windows 11’s security with our own eyes yet.
Having said that, we recommend that you download and install Windows 11 Security Baseline regardless if you are a sysadmin or a private user. It will allow you to enhance your digital security and give you more control over it.
