Microsoft published the final release of the security configuration baseline settings for Windows 10 v1903 and Windows Server 2019 (core) v1903.
Some of the changes:
- Enabling the new “Enable svchost.exe mitigation options” policy
- Configuring the new App Privacy setting
- Disabling multicast name resolution (LLMNR) to mitigate server spoofing threats.
- Restricting the NetBT NodeType to P-node
- Correcting an oversight in the Domain Controller baseline by adding recommended auditing settings for Kerberos authentication service
- Dropping the password-expiration policies that require periodic password changes
- Dropping the specific BitLocker drive encryption method and cipher strength settings
- Dropping the File Explorer “Turn off Data Execution Prevention for Explorer” and “Turn off heap termination on corruption” settings
- Dropping the enforcement of the default behavior of disabling the built-in Administrator and Guest accounts
- Dropped a Windows Defender Antivirus setting that applies only to legacy email file formats.
- Changed the Windows Defender Exploit Protection XML configuration
More info: Microsoft Security Guidance blog | Technet
Download: Microsoft Security Compliance Toolkit 1.0