I think for most people the section 2 12 17 18 21 24 28 29 33 are of top priority(especially 18.16 choose Security for Send your device data to Microsoft policy. This will save you a lot of time.
For office there are just 2 settings(1 2). you can download group policies here.
No the privacy related settings are not included in the security baseline at least for Edge and Office.
As for the security baseline, just Download it and open MS Security Baseline Windows 11 v23H2.xlsx. the suggestions are on the Windows 11 column. Some of the important settings are VBS, ASR, and Windows defender related settings. Basicly it is a more complete and official security guide than berisgood one.
also refer to some additional recommendations here
pls note all of my recommendations are from official Microsoft websites. I think they knows their OS best.
I do question the usefulness of having a local account need a hardware key to login. You need to shut off any other way to access the computer for it to actually provide real security and not security theater. For example, it doesn’t prevent a computer from remoting in.
Note: Local accounts will not be accessible by Windows Remote Desktop (RDP), but may still be accessible through other remote access software such as VNC or SSH. This other software can bypass the second factor because it does not integrate with the Windows authentication system.
I found it a fun thing to do but, I think unless your threat model requires you to lock down windows like this, its going to make using windows much more annoying for a small security gain.
It is much simpler to just lock down whats inside the local account then the account itself.
You can also quickly install baselines via attached PS scripts.
There is a lot of settings that are changed all at once, does it breaks something?
I guess the remove script could help in that case but I would prefer something more granular or with a GUI for a peace of mind.
Are the new settings are applied per user or globally?
No, at least not without your own overrides. Some settings worsen security (e.g. disable updates) and need changes. Others only work on Enterprise editions. So you might need additional settings to mitigate these on Pro edition.
The problem with Microsoft’s baselines is that they usually expect enterprise editions, security and privacy settings often play it off against each other and some things only apply or make sense for domain joined devices. They usually need some adjustments, then they can be very useful, but applying them blindly can lead to worse security, privacy or usability. To give you an example: I have more than 20 overrides to RTLFB alone.
Since all of this will take a lot of time I would recommend to skip Edge’s privacy whitepaper and simply use Brave instead.
Yes. I use it bacause password login is less secure than Windows Hello which uses TPM.
Some would. VBS needs proper BIOS settings and hardware or it leads to blue screen.
Maybe you can use Policy Analyzer.
just take a look into the xlsx file yourself.
That’s what PG windows guide can do for us imo.
if you donot use Edge, uninstall it.
Thank you for those infos, I checked Policy Analyzer and the xlsx file but it’s a bit too much for me.
I hope that the PG team will break down all that in the upcoming Windows guide.
Thanks a lot @anon34108895 and others, I truly appreciate it. The following is what I have understood so far. @sha123 you say:
I am using Firefox so I assume the Microsoft Edge Privacy Whitepaper page is irrelevant to me.
From everything you have said to me @anon34108895, I assume there is four pages to implement, listed here: Manage connections from Windows 10 and Windows 11 operating system components to Microsoft services, Use policy settings to manage privacy controls for Microsoft 365 Apps for enterprise, Security baselines and Microsoft Edge Privacy Whitepaper. So far, I think we have ruled out the necessity for one page: the Microsoft Edge Privacy Whitepaper page, however, this is subject to debate.
Considering these factors:
What do I need to do exactly? E.g., what scripts do I need to run or policies do I need to set (e.g., the Windows Restricted Traffic Limited Functionality Baseline, the Administrative Template files (ADMX/ADML) and Office Customization Tool for Microsoft 365 Apps for enterprise, Office 2019, and Office 2016 and/or the Security Compliance Toolkit and Baselines), and what do I need to set these policies to? Answering, such questions would be highly appreciated. Furthermore, what are the Mobile device management (MDM) security baselines? Who are these relevant to?
So far, thanks to @anon34108895 I know there are only 2 settings to apply for Microsoft 365 apps.
Aren’t these applied automatically in the security baselines? Can I get away without reading these sections. Would it be more efficient to find policies that I need to revert back from those recommended in the security policies (e.g., stopping automatic updates)?
No. This is from RTLFB. RTLFB and security baselines are partially conflicting.
RTLFB is not something you can apply blindly. Some settings disable security critical things like windows or defender updates. You either need to adjust these objects in the baseline before applying or override them afterwards
I didn’t encounter major issues with Windows and Office baselines. Only with Edge baseline it is hindering browser extensions, native messaging and downloads.
My recommendation will be, if you can, first install it on a virtual machine. Test it for few days, then install them into your main host. If that is not possible, then before installing baselines create a manual system recovery point.
Thanks, for the advice!
Windows security baseline has a few privacy invasive settings. Did you change them?
Okay, thanks so much. However, I still don’t know what to do. @sha123 you say:
and,
Implying that both the RTLFB and security baselines can not be applied automatically.
Also, I have no idea how to read this: Use policy settings to manage privacy controls for Microsoft 365 Apps for enterprise, or use this: Administrative Template files (ADMX/ADML) and Office Customization Tool for Microsoft 365 Apps for enterprise, Office 2019, and Office 2016. Windows links to this page for help (Create and manage Central Store - Windows Client | Microsoft Learn), however, it is full of unfamiliar terminology.
You can apply them automatically. But you shouldn’t, without knowing what and how to change. Also the result depends on which order you apply them.
I feel like applying these baselines is impossible for a layperson, everything is incredibly hard to decipher.
For those of you who have zero knowledge in computer science and do not have the time to read through all of Microsoft’s documentation, here is how I was able to finally apply the security baseline, after hours of suffering:
Warning: make a recovery point before doing the below steps!
LGPO_30 > LGPO.exe.LGPO.exe file to Windows 11 v23H2 Security Baseline > Scripts > Tools.cd 'C:\Users\Redacted\Downloads\Windows 11 v23H2 Security Baseline\Windows 11 v23H2 Security Baseline\Scripts'
Set-ExecutionPolicy -Scope Process Unrestricted
Y to confirm the change.Baseline-LocalInstall.ps1 script with the -Win11NonDomainJoined parameter (since I am using a personal laptop) by typing:.\Baseline-LocalInstall.ps1 -Win11NonDomainJoined
R to run the script once.Congratulations, you’ve successfully applied the Windows 11 security baseline! 
But do not close Windows Powershell yet!
Conveniently, the link also includes the other baselines mentioned by the expert users here. Simply, follow the above steps and use the folders: “Microsoft Edge v117 Security Baseline”, “Microsoft 365 Apps for Enterprise 2306” and “WindowsRTLFB”. Furthermore, you do not have to apply the parameter given in step 9, nor are there any unique requirements for the other scripts, everything else is literally the same. This will save you time.
While experts suggest you should not blindly apply these policies, I suggest you do apply them all, and then revert back individual, troublesome policies as they appear (you may notice them when you try to complete a task or if a feature that you are used to is missing. The only problem I can foresee is the potential removal of useful features before you have a chance to discover and use them. As of now [01/03/2024], the decision on which policies to remove is still under discussion, as detailed below). I have had no isssues so far.
See this for updates: [quote=“sha123, post:34, topic:15750”]
RTLFB and security baselines are partially conflicting.
[/quote]
After this I was prompted to:
To test properly, create a new non-administrative user account and reboot.
Do I really need to new non-administrative user account, after applying the security baseline?