Group Policy Objects for Computer and User policies for Windows 10 are included in the SHB. The latest versions of the Group Policy Templates for Windows 10 are also included.
Note that the latest SHB (10.1.0) is for Windows 10 1607 which is what this repository is in sync with.
Use the PowerShell Group Policy commands to import the Windows Group Policy into a domain. Run the following command on a domain controller from a PowerShell prompt running as a domain administrator.
Invoke-ApplySecureHostBaseline -Path '.\Secure-Host-Baseline' -PolicyNames 'Windows'
Use Microsoft's LGPO tool to apply the Windows Group Policy to a standalone system. Run the following command from a command prompt running as a local administrator.
Invoke-ApplySecureHostBaseline -Path '.\Secure-Host-Baseline' -PolicyNames 'Windows' -ToolPath '.\LGPO\lgpo.exe'
It is highly recommended to remove legacy features and protocols as known and unknown vulnerabilities in them expose the network to severe risk. NSA Information Assurance has issued security guidance for the removal of Outdated Software and Protocols. The Scripts folder contains a number of PowerShell modules that can be used to disable or remove legacy components from Windows 10 such as PowerShell 2.0, SMB 1.0, and NetBIOS.
NSA Information Assurance guidance for Windows 10:
- Microsoft Security Baseline for Windows 10 Version 1607
- Microsoft Security Baseline for Windows 10 Version 1511
- Microsoft Security Baseline for Windows 10 Version 1507
- Microsoft Security Toolkit
- Group Policy templates for version 1607
- Group Policy templates for version 1507 and 1511
- Group Policy reference
- Security Compliance Manager 4.0 - replaced by the Microsoft Security Toolkit