Microsoft has released the final version of its security configuration baseline settings for Windows 11, downloadable today using the Microsoft Security Compliance Toolkit.

Two new settings have been added for this release, a new Microsoft Defender Antivirus setting, and a custom setting for printer driver installation restrictions. When enabling the Microsoft Security Baseline for Windows 11, Redmond urges admins to ensure that Microsoft Defender for Endpoint tamper protection feature, which adds additional protection against human-operated ransomware attacks, is enabled.

It does that by blocking attempts made by malware or threat actors to disable security solutions and OS security features that would allow them to gain easier access to sensitive data and deploy malware or malicious tools.

Tamper protection sets up Microsoft Defender Antivirus using secure default values and hinders attempts to change them via the registry, PowerShell commandlets, or group policies.Once tamper protection is toggled on, ransomware operators would have a much more challenging task ahead of them when trying to:

  • Disable virus and threat protection
  • Disable real-time protection
  • Turnoff behavior monitoring
  • Disable antivirus
  • Disable cloud-delivered protection
  • Remove security intelligence updates

Microsoft also added a new setting to the MS Security Guide custom administrative template to restrict printer driver installation to admins.This new recommendation follows patches released since July 2021 to address the CVE-2021-34527 PrintNightmare remote code execution vulnerability in the Windows Print Spooler service.

Microsoft also removed all Microsoft Edge Legacy settings after the EdgeHTML-based web browser reached the end of support in March and was removed from Windows 11.

Going forward, please use the new Microsoft Edge (Chromium-based) baseline, which is on a separate release cadence and available as part of the Microsoft Security Compliance Toolkit.