README.md

Windows 10

Group Policy Objects for [Computer](./Group Policy Objects/Computer/) and [User](./Group Policy Objects/User/) policies for Windows 10 are included in the SHB.

[Group Policy Templates](./Group Policy Templates/) have been added to this repository for convenience. This repository contains the latest versions of the templates some of which have changed since the Windows 10 Version 1511 templates were released. Changes appear to have occurred in:

• CipherSuiteOrder.adml
• WindowsStore.adml
• WinMaps.adml
• WindowsStore.admx
• WinMaps.admx

In some cases templates were renamed leading to error messages (e.g. Namespace 'Microsoft.Policies.WindowsStore' is already defined as the target namespace for another file in the store, Namespace 'Microsoft.Policies.Sensors.WindowsLocationProvider' is already defined as the target namespace for another file in the store) when different template files contain the same Group Policy definitions.

Importing the Windows Group Policy

Importing the Windows domain Group Policy

Use the PowerShell Group Policy commands to import the Windows Group Policy into a domain. Run the following command on a domain controller from a PowerShell prompt running as a domain administrator.

Invoke-ApplySecureHostBaseline -Path '.\Secure-Host-Baseline' -PolicyNames 'Windows'

Importing the Windows local Group Policy

Use Microsoft's LGPO tool to apply the Windows Group Policy to a standalone system. Run the following command from a command prompt running as a local administrator.

Invoke-ApplySecureHostBaseline -Path '.\Secure-Host-Baseline' -PolicyNames 'Windows' -ToolPath '.\LGPO\lgpo.exe'

Hardware

See the Hardware page for more information about hardware and firmware requirements to take full advantage of Windows 10 security features.

Remove Legacy Features

It is highly recommended to remove legacy features and protocols as known and unknown vulnerabilities in them expose the network to severe risk. NSA Information Assurance has issued security guidance for the removal of Outdated Software and Protocols. The RemoveLegacyComponents.ps1 script can be used to help with the removal of legacy components from Windows 10, like PowerShell 2.0, SMBv1, and NetBIOS.

Guidance

NSA Information Assurance guidance for Windows 10:

• Security Highlights of Windows 10
• Windows 10 for Enterprises

Microsoft Guidance

• Microsoft Security Baseline for Windows 10 Version 1607
• Microsoft Security Baseline for Windows 10 Version 1511
• Microsoft Security Baseline for Windows 10 Version 1507

Downloads for Windows 10

• Group Policy templates for version 1607
• Group Policy templates for version 1507 and 1511
• Group Policy reference
• Security Compliance Manager 4.0

Links

• Windows 10 release information
• Group Policy search