Recommended Windows 10 GPOs

Information Security at Michigan Engineering/Recommended Windows 10 GPOs

Start with the GPOs in RED; these were deployed to all Windows 10 systems in one College of Engineering Unit with no ill effect. Then run GPResult /force in a CMD prompt (or restart the system), and re-run CIS-CAT to see what the score is:

  • Shared-ITS_IA-ADV-Auditing-PCIv2-Win10
  • Shared-ITS_IA-LocalPolicies-Win10
  • Shared-ITS_IA-SCM:PassTheHashSettings
  • Shared-ITS_IA-Applocker-SoftWareRestrictions
  • Shared-ITS_IA-LocalFW-Starter-MiS
  • Shared-ITS_IA-MS-SecurityGuide-Win10
  • Shared-ITS_IA-Chrome-NEW (TEST this one)
  • Shared-ITS_IA-CipherSuites1
  • Shared-ITS_IA-CipherSuites2
  • Shared-ITS_IIA-Admin-Templates
  • Shared-ITS_IIA-MSS: Settings
  • Shared-ITS_IIA-NTFSLastAccessUpdate (good for IR Team forensics)
  • Shared-ITS_IIA-RDP-HighLevelEncrypt-NLA
  • Shared-ITS_IIA-Security-Options
    • Shared-ITS_IIA-Windows10PrivacyHIPAA_Aligned_OneDrive_NoWUDO (IA recommended privacy settings for Win10 – this mostly relates to Cortana)

Check successful deployments by reviewing the GPResult /force results. If the score is still low, look at the GPOs below in Blue and add for optional enhanced security:

  • Shared-ARCTS_IA-LAPS (test this one)
  • Shared-ITS_IA-Network-Win10
  • Shared-ITS_IA-SystemServices-Win10
  • Shared-ITS_IA-TempFoldersRDP
  • Shared-ITS_IA-WindowsComponents-Win10
  • Shared-ITS_IA-LGPO_PasswordPolicy
  • Shared-ITS_IA-PreviousVersions

Be sure to check for WMI filters!

Shared Group Policy Objects for Windows systems are found in UMROOT Active Directory domain here (using AD Group Policy Management Console):

/adsroot.itcs.umich.edu/UMICH/Administration/IIA/Shared-GPOs

Feel free to link to these GPOs directly for temporary testing. However, you should backup/import these examples into GPOs you create for long term deployment to your systems (this, to avoid our changing the GPOs and negatively affecting your Unit’s systems).

NOTE: You can only access the Backup/Import options inside of GPMC by right-clicking on your GPO under the Group Policy Objects folder in the utility (you won’t see these options at the OU you have the GPO linked to). GPOs are provided as-is – no guarantees. We expect those utilizing these GPOs have expertise in Microsoft Active Directory and Group Policy creation and appropriate privileges. Use at your own risk. IA expects that U-M System_Admins can help to update/edit by contacting IA (cbrenner). Last update April, 2019. 1803 Build tested. IA expects that U-M System_Admins can help to keep these GPOs current by contacting IA.

Link to CIS-CAT webpage on Safecomputing.