Security baseline for Windows 10 “Creators Update” (v1703) – DRAFT Link: https://blogs.technet.microsoft.com...e-for-windows-10-creators-update-v1703-draft/ Two interesting takeaways initially, though I am still reviewing the changes: Exposing two more settings through the custom “MS Security Guide” ADMX to enforce protections for 32-bit processes and to “Turn on Windows Defender protection against Potentially Unwanted Applications.” Setting to enforce SEHOP on all 32-bit apps. (64-bit apps already enforced by default) Removing the “Untrusted Font Blocking” setting. We discuss the reasons for this change here. Interesting... (still reviewing) See: https://blogs.technet.microsoft.com...dropping-the-untrusted-font-blocking-setting/ EDIT: Mitigation no longer needed due to user-mode AppContainer protected font parsing in Anniversary Update and Creators Update.
Another interesting note is that these policies provided make it easier to apply LSA Protection (running lsass.exe as protected process-light). Also for disabling SMBv1 quick and easy.
@Trooper My apologies, I forgot to add the main blog post to the first post. I've added main link at the top of my first post now. Sorry about that.
This one in particular was a welcome read for me. Heaven knows that the always available potential and carried out disruptions through the way the font issue was made by default is plagued all earlier versions so this new approach taken must also be a relief for them from that albatross.
So simply put, just keep it on. They are recommending to disable it, because Microsoft webpages are using untrusted fonts.
Security baseline for Windows 10 “Creators Update” (v1703) – FINAL Link: https://blogs.technet.microsoft.com...e-for-windows-10-creators-update-v1703-final/ The differences in this baseline from the v1703 draft version are: