Thanks so much @fiwayan173, you have provided some immensely helpful links. Keep in mind that I have applied the Windows 11 v23H2 Security Baseline, the Microsoft 365 Apps for Enterprise 2306 baseline and the Microsoft Edge v117 Security Baseline. I say this because some policies you mention may be covered in these baselines.
These are my final questions (all of them are regarding policies, all of which I assume aren’t covered in the baselines):
-
You mention the Attack surface reduction rules reference, to reiterate, you will have to be more specific with me, as I have no knowledge in computer science. In general, I am requesting a brief run down on how to apply your recommendations (specifically the ones I mention that I need help with in this post), which you have already confirmed are suitable for all basic users who want to improve their privacy. Unfortunately, Microsoft’s documentation is not meant to be read by lay people, like me. So, along with your recommendations a quick explanation on how to apply them, what they do and why we should use them, would be excellent.
-
These recommendations in particular:
Are particularly hard to know what on Earth is going on. The pages are speaking in different tongues. 
And I can’t even find the specific settings to change, how to change them, or understand why I need to change them within the linked pages.
-
Regarding the Windows Restricted Traffic Limited Functionality Baseline, you recommend applying the 24. Microsoft Defender Antivirus, 29. Windows Update and 28. Delivery Optimization settings, whereas Microsoft states: “For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Microsoft Defender Antivirus. Accordingly, we do not recommend disabling any of these features.” Why is this?
This is confusingly worded. Firstly, aren’t the Office and Edge settings covered in the Microsoft 365 Apps for Enterprise 2306 baseline?
Secondly, in your quote you make a link to your other quote:
It was a bit hard to piece together your quotes into a cohesive whole. After reading Microsoft’s documentation on these policies, where they say: “If you’re using Group Policy, you need to download the most current version of the Administrative Template files (ADMX/ADML) from the Microsoft Download Center.” I assume in order to apply these policies (1 and 2) one needs to apply the Administrative Template files (ADMX/ADML) and Office Customization Tool for Microsoft 365 Apps for enterprise, Office 2019, and Office 2016 first. Is this what you meant to say?
Once again to someone who is illiterate in this field, a simple explanation on how on Earth to use and apply the Administrative Template files, would be highly appreciated.
-
You suggest these policies to “disable one’s Microsoft account”, do you know if any integral functionality may be lost by doing this?
-
I need help with enabling Smart App Control which you all suggested WDAC, how do I do this exactly (easiest way)?
-
Lastly, you say:
The second ‘setting’ is a link to a page consisting of multiple topics, which cover multiple settings each, so are you referring specifically to the Enforce local account restrictions for remote access topic or all of the settings covered by this page? It would be helpful to specify. Furthermore, the Enforce local account restrictions for remote access topic seemed to be already applied by the Windows security baseline.
The same goes with the other links, you helpfully link to what appears to be one topic within the page, but I do not know if I should read and apply the other topics. For the third link, you link to Enable delegation of nonexportable credentials on the remote hosts, underneath is another heading: Configure delegation of credentials on the clients, followed by more headings. Should I stick only to the topic you provided? More importantly, we should first ask ourselves: are these individual topics already covered by the baseline? Potentially saving us time. Further update: the Enable delegation of nonexportable credentials on the remote hosts topic within the third link was also already covered by the baseline. Also, the fifth link apparently doesn’t apply to the latest version of Windows 11.
I have no idea what is going on with the fourth link.