CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

18.9.99.2 Appand browser protection

This section contains App and browser protection settings.

This Group Policy section is provided by the Group Policy template WindowsDefenderSecurityCenter.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer). 18.9.99.2.1 (L1) Ensure 'Prevent users from modifying settings' is set to 'Enabled' (Scored)

ProfileApplicability:

 Level 1 (L1) - Corporate/Enterprise Environment (general use)

Description:

This policy setting prevent users frommaking changes to the Exploit protection settings area in the Windows Security settings.

The recommended state for this setting is: Enabled .

Rationale:

Only authorized IT staff should be able to make changes to the exploit protection settings in order to ensure the organizations specific configuration is not modified.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\App and Browser protection:DisallowExploitProtectionOverride

1171 | P a g e