Microsoft earlier today released its security baseline package for Windows 10 21H2 November 2021 update in the form of the Microsoft Security Configuration Toolkit. The toolkit provides a Microsoft-recommended security baseline in order to help administrators better manage various enterprise Group Policy Objects (GPOs), among other things, without compromising security.
Here's how Microsoft defines its Security Configuration Toolkit:
The Microsoft Security Configuration Toolkit enables enterprise security administrators to effectively manage their enterprise’s Group Policy Objects (GPOs). Using the toolkit, administrators can compare their current GPOs with Microsoft-recommended GPO baselines or other baselines, edit them, store them in GPO backup file format, and apply them via a domain controller or inject them directly into testbed hosts to test their effects.
The new baseline introduces several new policy settings like printer driver installation restrictions to prevent scenarios like the infamous PrintNightmare episode, and "Tamper Protection" that could help against "Human Operated Ransomware", among other threats. Besides these two, Edge Legacy settings have also been done away with under this new baseline.
In case of the new printer driver installation restriction, Microsoft says:
We have added a new setting to the MS Security Guide (Administrative Templates\Printers\Limits print driver installation to Administrators) and enforced the enablement. Note this setting was previously a custom setting in SecGuide.admx/l and has since moved inbox.
And when it comes to Tamper Protection, the feature, Microsoft says, can prevent a malware from:
Disabling virus and threat protection
Disabling real-time protection
Turning off behavior monitoring
Disabling antivirus (such as IOfficeAntivirus (IOAV))
Disabling cloud-delivered protection
Removing security intelligence updates
Disabling automatic actions on detected threats
This baseline was already released for Windows 11 back when the OS was made publicly available in October. Besides these policy setting changes, the Windows 11 baseline also adds the option for allowing Script Scanning.
You can find the link to download the Microsoft Security Compliance Toolkit 1.0 here.