Importing Windows 10 Security Baselines using PowerShell

By Johan Arwidmark / October 16, 2016

Here is a PowerShell script that will import the various Windows 10 and Windows Server 2016 security baselines that Microsoft provides.

Downloading

The Windows 10 v1803 (FINAL) security baselines can be downloaded from the link below:

Security baseline (FINAL) for Windows 10 v1803 ("April 2018 Update")
http://blogs.technet.microsoft.com/secguide/2018/04/30/security-baseline-for-windows-10-april-2018-update-v1803-final/

The Windows 10 v1607 (also referenced as Redstone 1 release, or RS1) and Windows Server 2016 security baselines can be downloaded from the link below:

Security baseline for Windows 10 v1607 ("Anniversary edition") and Windows Server 2016
http://blogs.technet.microsoft.com/secguide/2016/10/17/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016/

The Windows 10 v1511 security baselines (also referenced as Threshold 2 release, or TH2) can be downloaded from the link below:

Security baseline for Windows 10 (v1511, "Threshold 2") – FINAL
http://blogs.technet.microsoft.com/secguide/2016/01/22/security-baseline-for-windows-10-v1511-threshold-2-final/

Importing using PowerShell

For the Windows 10 and Windows Server 2016 baselines, once downloaded, extract the Windows-10–Security-Baseline.zip file and adjust the script path to where you extracted the folder. For example, the C:\Setup\Windows 10 v1803 and Windows Server 2016 Security Baselines\GPOs folder.

Windows 10 v1803

# Script to import Windows 10 Security Baselines
#
# Yep, I know I can parse the manifest.xml file for orginal names and ID ...
# And the v1803 baseline release even contains as script (Local_Script\Tools\MapGuidsToGpoNames.ps1) that does it.
# But I wanted to use slightly different names, so therefore the array :)
  
$GPOPath = 'C:\Setup\Windows-10-RS4-Security-Baseline-FINAL\GPOs'
  
$GPOs = @()
$GPOs += @{"Name"="Windows 10 v1803 - Computer";"BackupID"="3C537678-BBC4-4F10-AACE-5D44C468CC6C"}
$GPOs += @{"Name"="Windows 10 v1803 - User";"BackupID"="8E3D0A57-07DB-4723-B072-A6374FCC0779"}
$GPOs += @{"Name"="Windows 10 v1803 - BitLocker";"BackupID"="2BE77E31-F6AC-479A-8DA4-093B6DA8F349"}
$GPOs += @{"Name"="Windows 10 v1803 and Server 2016 - Defender Antivirus";"BackupID"="6D1D9215-0E34-4AD9-B4B9-B5ED8B8C83DA"}
$GPOs += @{"Name"="Windows 10 v1803 and Server 2016 - Credential Guard";"BackupID"="1CBF32AF-581B-400B-B3D7-304B50200C36"}
$GPOs += @{"Name"="Internet Explorer 11 - User";"BackupID"="4B434505-3663-4D3E-80EE-5E5B3334D6D6"}
$GPOs += @{"Name"="Windows 10 v1803 and Server 2016 - Domain Security";"BackupID"="BEEC0E5D-EEDC-44BC-9D28-41693B3CE82A"}
$GPOs += @{"Name"="Internet Explorer 11 - Computer";"BackupID"="3BF11821-7EF8-43F9-9CBB-87D79F78D564"}
  
foreach ($GPO in $GPOs) {
    Import-GPO -BackupId $GPO.BackupID -Path $GPOPath -TargetName $GPO.Name -CreateIfNeeded
}

Windows 10 v1607

# Script to import Windows 10 Security Baselines
#
# Yep, I know I can parse the manifest.xml file for orginal names and ID ...
# And the v1607 baseline release even contains as script (Local_Script\Tools\MapGuidsToGpoNames.ps1) that does it.
# But I wanted to use slightly different names, so therefore the array :)
 
$GPOPath = 'C:\Setup\Windows 10 v1607 and Server 2016 Security Baseline\GPOs'
 
$GPOs = @()
$GPOs += @{"Name"="Windows 10 v1607 and Server 2016 - Internet Explorer 11 - User";"BackupID"="B0AA555D-B555-4832-9BA6-2D5A973A7B92"}
$GPOs += @{"Name"="Windows 10 v1607 and Server 2016 - Credential Guard";"BackupID"="714FD77E-8FDD-4CB0-B3F7-FF49815473FF"}
$GPOs += @{"Name"="Windows 10 v1607 - BitLocker";"BackupID"="23D00834-1B40-4F45-A461-8F833529994C"}
$GPOs += @{"Name"="Windows 10 v1607 - User";"BackupID"="EB965378-F079-41EE-AF63-54900D1D771C"}
$GPOs += @{"Name"="Windows Server 2016 - Member Server Baseline - Computer";"BackupID"="088E04EC-440C-48CB-A8D7-A89D0162FBFB"}
$GPOs += @{"Name"="Windows Server 2016 - Domain Controller Baseline";"BackupID"="37BBB33A-A159-427D-AD58-67B1BE126AD6"}
$GPOs += @{"Name"="Windows 10 v1607 - Computer";"BackupID"="F6584239-28E8-4F44-B860-08FEDD241565"}
$GPOs += @{"Name"="Windows 10 and Server 2016 - Domain Security";"BackupID"="1D2C9D38-6BB1-4C90-B5EB-2850EA18AE06"}
$GPOs += @{"Name"="Windows 10 v1607 and Server 2016 - Internet Explorer 11 - Computer";"BackupID"="07177AF8-97DF-407D-89A6-C875CD1784BC"}
$GPOs += @{"Name"="Windows Server 2016 - Member Server Baseline - User";"BackupID"="9C87270F-7704-41D9-A76D-C8B9ADB1794A"}
$GPOs += @{"Name"="Windows 10 and Server 2016 - Defender";"BackupID"="4095647A-14FE-4CE4-955A-F2311B0D62D1"}
 
foreach ($GPO in $GPOs) {
    Import-GPO -BackupId $GPO.BackupID -Path $GPOPath -TargetName $GPO.Name -CreateIfNeeded
}

Windows 10 v1511

# Script to import Windows 10 Security Baselines
#
# Yep, I know I can parse the manifest.xml or backup.xml files for orginal names and ID ...
# But I wanted to use slightly different names, so therefore the array :)
 
$GPOPath = 'C:\Setup\Windows 10 v1511 Security Baselines\GPOs'
 
$GPOs = @()
$GPOs += @{"Name"="Windows 10 - Credential Guard";"BackupID"="2D2F193A-6219-4508-BE94-DCCB289FEAEB"}
$GPOs += @{"Name"="Windows 10 - Domain Security";"BackupID"="6ADC1948-09A1-47C2-B1B8-B22E397CE724"}
$GPOs += @{"Name"="Windows 10 - BitLocker";"BackupID"="6C93418C-FED8-4184-925D-94CFB496B5F1"}
$GPOs += @{"Name"="Internet Explorer 11 - User";"BackupID"="8BFF2654-0813-4FFB-A677-D8D4874A0F70"}
$GPOs += @{"Name"="Internet Explorer 11 - Computer";"BackupID"="13EF1215-570A-4B8F-A3B0-F3BB70C96C18"}
$GPOs += @{"Name"="Windows 10 - Computer";"BackupID"="37BD6154-904F-4071-9055-CB0633EE30EF"}
$GPOs += @{"Name"="Windows 10 - User";"BackupID"="F563261D-E0B5-4CC3-A7E6-DE2CEBCFBD76"}
 
foreach ($GPO in $GPOs) {
    Import-GPO -BackupId $GPO.BackupID -Path $GPOPath -TargetName $GPO.Name -CreateIfNeeded
}

Windows 10 security policies imported.