You are here:   Research
  |  Login

Welcome to my blog, quickest way to find articles is usually to search for them.

Minimize
Search in All Title Contents
 
     

Importing Windows 10 Security Baselines using PowerShell

Oct 15 2016

Here is a PowerShell script that will import the various Windows 10 and Windows Server 2016 security baselines that Microsoft provides.

 

Downloading

The Windows 10 v1803 (FINAL) security baselines can be downloaded from the link below:

The Windows 10 v1607 (also referenced as Redstone 1 release, or RS1) and Windows Server 2016 security baselines can be downloaded from the link below:

The Windows 10 v1511 security baselines (also referenced as Threshold 2 release, or TH2) can be downloaded from the link below:

 

Importing using PowerShell

For the Windows 10 and Windows Server 2016 baselines, once downloaded, extract the Windows-10-<version>-Security-Baseline.zip file and adjust the script path to where you extracted the folder. For example, the C:\Setup\Windows 10 v1803 and Windows Server 2016 Security Baselines\GPOs folder.

 

Windows 10 v1803

# Script to import Windows 10 Security Baselines
#
# Yep, I know I can parse the manifest.xml file for orginal names and ID ...
# And the v1803 baseline release even contains as script (Local_Script\Tools\MapGuidsToGpoNames.ps1) that does it.
# But I wanted to use slightly different names, so therefore the array :)
 
$GPOPath = 'C:\Setup\Windows-10-RS4-Security-Baseline-FINAL\GPOs'
 
$GPOs = @()
$GPOs += @{"Name"="Windows 10 v1803 - Computer";"BackupID"="3C537678-BBC4-4F10-AACE-5D44C468CC6C"}
$GPOs += @{"Name"="Windows 10 v1803 - User";"BackupID"="8E3D0A57-07DB-4723-B072-A6374FCC0779"}
$GPOs += @{"Name"="Windows 10 v1803 - BitLocker";"BackupID"="2BE77E31-F6AC-479A-8DA4-093B6DA8F349"}
$GPOs += @{"Name"="Windows 10 v1803 and Server 2016 - Defender Antivirus";"BackupID"="6D1D9215-0E34-4AD9-B4B9-B5ED8B8C83DA"}
$GPOs += @{"Name"="Windows 10 v1803 and Server 2016 - Credential Guard";"BackupID"="1CBF32AF-581B-400B-B3D7-304B50200C36"}
$GPOs += @{"Name"="Internet Explorer 11 - User";"BackupID"="4B434505-3663-4D3E-80EE-5E5B3334D6D6"}
$GPOs += @{"Name"="Windows 10 v1803 and Server 2016 - Domain Security";"BackupID"="BEEC0E5D-EEDC-44BC-9D28-41693B3CE82A"}
$GPOs += @{"Name"="Internet Explorer 11 - Computer";"BackupID"="3BF11821-7EF8-43F9-9CBB-87D79F78D564"}
 
foreach ($GPO in $GPOs) {
    Import-GPO -BackupId $GPO.BackupID -Path $GPOPath -TargetName $GPO.Name -CreateIfNeeded
}

 

Windows 10 v1607

# Script to import Windows 10 Security Baselines
#
# Yep, I know I can parse the manifest.xml file for orginal names and ID ...
# And the v1607 baseline release even contains as script (Local_Script\Tools\MapGuidsToGpoNames.ps1) that does it.
# But I wanted to use slightly different names, so therefore the array :)

$GPOPath = 'C:\Setup\Windows 10 v1607 and Server 2016 Security Baseline\GPOs'

$GPOs = @()
$GPOs += @{"Name"="Windows 10 v1607 and Server 2016 - Internet Explorer 11 - User";"BackupID"="B0AA555D-B555-4832-9BA6-2D5A973A7B92"}
$GPOs += @{"Name"="Windows 10 v1607 and Server 2016 - Credential Guard";"BackupID"="714FD77E-8FDD-4CB0-B3F7-FF49815473FF"}
$GPOs += @{"Name"="Windows 10 v1607 - BitLocker";"BackupID"="23D00834-1B40-4F45-A461-8F833529994C"}
$GPOs += @{"Name"="Windows 10 v1607 - User";"BackupID"="EB965378-F079-41EE-AF63-54900D1D771C"}
$GPOs += @{"Name"="Windows Server 2016 - Member Server Baseline - Computer";"BackupID"="088E04EC-440C-48CB-A8D7-A89D0162FBFB"}
$GPOs += @{"Name"="Windows Server 2016 - Domain Controller Baseline";"BackupID"="37BBB33A-A159-427D-AD58-67B1BE126AD6"}
$GPOs += @{"Name"="Windows 10 v1607 - Computer";"BackupID"="F6584239-28E8-4F44-B860-08FEDD241565"}
$GPOs += @{"Name"="Windows 10 and Server 2016 - Domain Security";"BackupID"="1D2C9D38-6BB1-4C90-B5EB-2850EA18AE06"}
$GPOs += @{"Name"="Windows 10 v1607 and Server 2016 - Internet Explorer 11 - Computer";"BackupID"="07177AF8-97DF-407D-89A6-C875CD1784BC"}
$GPOs += @{"Name"="Windows Server 2016 - Member Server Baseline - User";"BackupID"="9C87270F-7704-41D9-A76D-C8B9ADB1794A"}
$GPOs += @{"Name"="Windows 10 and Server 2016 - Defender";"BackupID"="4095647A-14FE-4CE4-955A-F2311B0D62D1"}

foreach ($GPO in $GPOs) {
    Import-GPO -BackupId $GPO.BackupID -Path $GPOPath -TargetName $GPO.Name -CreateIfNeeded
}

Windows 10 v1511

# Script to import Windows 10 Security Baselines
#
# Yep, I know I can parse the manifest.xml or backup.xml files for orginal names and ID ...
# But I wanted to use slightly different names, so therefore the array :)

$GPOPath = 'C:\Setup\Windows 10 v1511 Security Baselines\GPOs'

$GPOs = @()
$GPOs += @{"Name"="Windows 10 - Credential Guard";"BackupID"="2D2F193A-6219-4508-BE94-DCCB289FEAEB"}
$GPOs += @{"Name"="Windows 10 - Domain Security";"BackupID"="6ADC1948-09A1-47C2-B1B8-B22E397CE724"}
$GPOs += @{"Name"="Windows 10 - BitLocker";"BackupID"="6C93418C-FED8-4184-925D-94CFB496B5F1"}
$GPOs += @{"Name"="Internet Explorer 11 - User";"BackupID"="8BFF2654-0813-4FFB-A677-D8D4874A0F70"}
$GPOs += @{"Name"="Internet Explorer 11 - Computer";"BackupID"="13EF1215-570A-4B8F-A3B0-F3BB70C96C18"}
$GPOs += @{"Name"="Windows 10 - Computer";"BackupID"="37BD6154-904F-4071-9055-CB0633EE30EF"}
$GPOs += @{"Name"="Windows 10 - User";"BackupID"="F563261D-E0B5-4CC3-A7E6-DE2CEBCFBD76"}

foreach ($GPO in $GPOs) {
    Import-GPO -BackupId $GPO.BackupID -Path $GPOPath -TargetName $GPO.Name -CreateIfNeeded
}

 

image
Windows 10 security policies imported.









Deployment News


Happy deployment, and thanks for reading!


What our lawyers makes us say:

This information is provided "AS IS" with no warranties, confers no rights and is not supported by the authors or Deployment Artist.

Copyright © 2017 by Deployment Artist (the company behind deployment research). All rights reserved. No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

Shorthand: Don't pass off our work as yours, it's not nice.

Blog Archive

Minimize




Where you can meet us!

Live Stream Recordings
ConfigMgr 1806 and W10 OSD

5 Days - Mega Geek Week 
(multiple classes, ConfigMgr, OSD etc.)
- Johan Arwidmark, Mikael Nystrom...
Jun 10, 2019, Chicago, IL, US

4 Days - Windows 10 OSD Classes
- Johan Arwidmark
May 20, 2019, San Diego, CA, US
Jun 17, 2019, Culemborg, NL
Jul 8, 2019, Phoenix, AZ, US

5 days - ConfigMgr Classes
- Johan Arwidmark and Kent Agerlund
Apr 8, 2019, Chicago, IL, US
Apr 22, 2019, Houston, TX, US

Video-based trainings
https://online.truesec.com
https://deploymentartist.com/Training/Videos

MDT, Windows 10 and ConfigMgr Books
http://deploymentartist.com/Books

Contact Info
http://deploymentresearch.com/theteam