The Secure Host Baseline (SHB) provides an automated and flexible approach for assisting the DoD in deploying the latest releases of Windows 10 using a framework that can be consumed by organizations of all sizes.
The DoD CIO issued a memo on November 20, 2015 directing Combatant Commands, Services, Agencies and Field Activities (CC/S/As) to rapidly deploy the Windows 10 operating system throughout their respective organizations with the objective of completing deployment by the end of January 2017. The Deputy Secretary of Defense issued a memo on February 26, 2016 directing the DoD to complete a rapid deployment and transition to Microsoft Windows 10 Secure Host Baseline by the end of January 2017.
Formal product evaluations also support the move to Windows 10. The National Information Assurance Partnership (NIAP) oversees evaluations of commercial IT products for use in National Security Systems . The Common Criteria evaluation of Windows 10 against the NIAP Protection Profile for General Purpose Operating Systems completed April 5, 2016 . The Common Criteria evaluation of Windows 10 against the NIAP Protection Profile for Mobile Device Fundamentals completed January 29, 2016 .
Using a Secure Host Baseline is one of IAD’s top 10 mitigation strategies . The DoD Secure Host Baseline also exemplifies other IAD top 10 mitigation strategies such as using application whitelisting , enabling anti-exploitation features , and using the latest version of the operating system and applications .
This repository hosts Group Policy Objects, configuration tools, and compliance checks in support of the Windows 10 DoD Secure Host Baseline framework. Administrators of National Security Systems , such as those who are part of the Defense Industrial Base , can leverage this repository in lieu of access to the DoD SHB framework which requires a Common Access Card (CAC) or Personal Identification Verification (PIV) smart card to access.
Scripts for aiding users with the SHB are located in the Scripts sub folders of each component. Scripts available for use so far:
Importing a GPO varies depending on whether it is being imported for a domain versus a standalone system.
The PowerShell Group Policy commands can also be used to import a domain GPO on systems that have the PowerShell Group Policy module .
Import-Module GroupPolicy Import-GPO -Path "path to GPO backup folder"