What's New

• Microsoft Security Baselines updated to version 2023 (23H2) which was released an hour ago, another link. The time is relative to the creation of the PR release note.
• Improved the Readme with the new changes described in this release notes.

Changes in Microsoft Defender Category

• Improved Process Mitigations (More about them below). Simply running the Microsoft Defender category will remove old mitigations and will apply the new ones automatically. Some mitigations such as Hardware Enforced Shadow Stack Protection (a.k.a Kernel CFG or KCFG) that are very powerful features against exploits, are only available on new CPUs, starting with Intel 12th gen CPUs. On older CPUs they simply do not have any effects.
• Reduced the number of days the quarantined items will be kept to 1 day from the previous 3 days.
• In Microsoft Defender category, Enhanced phishing protection, removed Notify password reuse, Notify malicious, Service enabled and Notify unsafe app, because they are already applied by Microsoft Security baselines. The only option that is applied by Harden Windows Security module for Enhanced Phishing Protection is Automatic data collection (formerly known as Capture Threat Windows), it's for security analysis from a suspicious website or app.
• Removed PUA blocking (Potentially Unwanted App) from Microsoft Defender because it's already applied by Microsoft Security Baselines.

Changes in Device Guard Category

• The entire Device Guard category is removed. Microsoft Security Baseline 23H2 implements the entire feature set of Device Guard in the most secure state just like the Harden Windows Security module did, so it's no longer necessary to have it as a separate and/or duplicate category. The documents related to Device Guard and Virtualization Based Security in Windows is available in the wiki.

Changes in BitLocker Category

• Improved BitLocker related code, specifically the BitLocker category for non-OS drives now has a more elaborate and slightly faster performing code. Also Improved the messages displayed on the console for non-OS drives when they are already encrypted.
• Removed Enhanced PIN for BitLocker policy because Microsoft Security baselines already apply it.
• Removed disabling power states S1-S3 policies because Microsoft Security Baselines already apply it.
• Added new policy for ensuring network connectivity in standby state on modern standby capable devices. This allows Security updates for Microsoft Defender and Windows to be downloaded and installed automatically.

Changes in Windows Networking Category

• Removed the policy that disables the LLMNR protocol (Link Local Multicast Name Resolution) because it's already applied by Microsoft Security Baselines.
  • That feature was only useful for networks that do not have a Domain Name System (DNS) server and Microsoft started ramping down NetBIOS name resolution and LLMNR. over a year ago.
• Removed the Turn off downloading of print drivers over HTTP policy because it's already applied by Microsoft Security Baselines.
  • For reference, this is the recommended and secure way of downloading printer drivers in Windows 11

Note

• It's more important than ever to apply the Microsoft Security Baselines category now that it applies many of the security measures.
• Nothing from compliance checking is removed. The policies that are removed because Microsoft Security Baselines already implement them, can be all verified using the Confirm-SystemCompliance cmdlet.

What's New in Process Mitigations / Exploit Protections

Added thorough explanations to each process mitigation in the CSV file, that will explain why they are used.

• This approach logically considers each use case of the mitigations and only implements them if there is enough information about that process that guarantees it will work 100% with the mitigation and also it makes sense to apply that mitigation in terms of security while also considering usability.

• You can always find more info about them in here: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/exploit-protection-reference

• Removed ForceRelocateImages and RequireInfo from all 1st party executables in the process mitigations list.

  • The reason is because the former is already enabled by default system-wide and the latter is only applicable to older programs. RequireInfo still exist for 3rd party programs such as Adobe Acrobat but for 1st party programs released by Microsoft it's removed, because 1st party programs do not need it and even if hypothetically some 1st party program was missing RequireInfo, it still would do more harm than good by crashing that 1st party program.

• Removed EnableExportAddressFilter and EnableExportAddressFilterPlus from some processes that might not be compatible with it.

  • This mitigation is primarily an issue for applications such as debuggers, sandboxed applications, applications using DRM, or applications that implement anti-debugging technology.

  • Those processes that used them are likely to fall in the categories mentioned above, so to prevent any possible issues or crashes in the future, removed them from the process mitigations as a pre-emptive measure.

  • Import Address Filtering should ideally be used in conjunction with Export Address filtering in order for it to be effective. If an attacker knows you are using Import Address Filtering without Export Address Filtering, they "could" use the export method to get the address(s) for their shellcode, and vice versa.

• Removed DisableNonSystemFonts from Edge browser process mitigations because it uses DirectWrite instead of GDI and this mitigation is not required for it.

• Removed EnableRopSimExec as it only applies to 32-bit applications. Quick Assist and Adobe Acrobat that were using it are 64-bit.

• Added Hardware Enforced Shadow Stack Protection Strict mode to Edge browser and Quick Assist.

PR: #146