Group Policy Objects for Computer and User policies for Windows 10 are included in the SHB. The latest versions of the Group Policy Templates for Windows 10 are also included.
Note that the latest SHB (10.1.0) is for Windows 10 1607 which is what this repository is in sync with.
Use the PowerShell Group Policy commands to import the Windows Group Policy into a domain. Run the following command on a domain controller from a PowerShell prompt running as a domain administrator.
Invoke-ApplySecureHostBaseline -Path '.\Secure-Host-Baseline' -PolicyNames 'Windows'
Use Microsoft's LGPO tool to apply the Windows Group Policy to a standalone system. Run the following command from a command prompt running as a local administrator.
Invoke-ApplySecureHostBaseline -Path '.\Secure-Host-Baseline' -PolicyNames 'Windows' -ToolPath '.\LGPO\lgpo.exe'
See the Hardware page for more information about hardware and firmware requirements to take full advantage of Windows 10 security features.
It is highly recommended to remove legacy features and protocols as known and unknown vulnerabilities in them expose the network to severe risk. NSA Information Assurance has issued security guidance for the removal of Outdated Software and Protocols. The Scripts folder contains a number of PowerShell modules that can be used to disable or remove legacy components from Windows 10 such as PowerShell 2.0, SMB 1.0, and NetBIOS.
NSA Information Assurance guidance for Windows 10:
- Microsoft Security Baseline for Windows 10 Version 1607
- Microsoft Security Baseline for Windows 10 Version 1511
- Microsoft Security Baseline for Windows 10 Version 1507