Microsoft is pleased to announce the release of the security baseline package for Windows 11, version 23H2!
Please download the content from the Microsoft Security Compliance Toolkit, test the recommended configurations, and customize / implement as appropriate.
This release includes several changes to further assist in the security of enterprise customers. Changes have been made to provide additional protections to the local admin account, Microsoft Defender Antivirus updates, and a new setting in response to an MSRC bulletin.
Re-introducing the Local Administrator Password Solution (LAPS)
LAPS is a feature that has been around for some time but was always a bolt-on solution. The legacy version of Microsoft LAPS has been deprecated as of October 23, 2023 as noted in our article on Microsoft LAPS deprecation. We have now moved the control for Windows LAPS natively inbox and its settings are located under Administrative Templates/System/LAPS. We have configured three settings:
- Configure password backup directory to a value of Enabled: Active Directory
- Enable password backup for DSRM accounts to a value of Enabled
- Enable password encryption to a value of Enabled
For the backup directory setting, we have selected the option to backup to Active Directory as the baselines are already targeted as such. For Microsoft Entra ID, the best selection will be the Azure Active Directory option which will be reflected in the Intune security baseline when it releases.
For additional details on Windows LAPS, see the Windows LAPS overview, the Windows LAPS skilling snack, and the recent announcement, Windows LAPS with Microsoft Entra ID now Generally Available.
X.509 Certificate Padding
A new custom setting has been added to the SecGuide.admx/l, Enable Certificate Padding. Certificate Padding
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: