The Australian Cyber Security Centre’s “Hardening Microsoft Windows 10 and Windows 11 Workstations” publication (last updated July 2024) is one of the more comprehensive endpoint-hardening references the security community has.…
Account Lockout Policy converts a brute-force password attack from 'eventually wins' into 'locks the account and stops'. Three knobs configured at the domain level via Default Domain Policy: lockout threshold (failed attempts before lock - default 0 = no protection, recommended 5), reset counter (minutes before failed-attempt counter resets - default 30), and lockout duration (minutes account stays locked - 0 = manual unlock only). Walks the full setup in Server 2022 GPMC + Windows 10 client: edit Default Domain Policy, set the three values, disable Administrator account lockout (recommended - protects break-glass), gpupdate /force, deliberately lock a test user (5 wrong passwords), then unlock via ADUC Account tab or Unlock-ADAccount PowerShell. Includes the domain-scope constraint (must live in Default Domain Policy, not OU-linked - this is one of the rare exceptions to the don't-edit-defaults rule), the SIEM event-ID reference (4625/4740/4767), and pointers to Fine-Grained Password Policy for per-user/per-OU differentiation.
Default Windows 10/11 PowerShell policy is Restricted - .ps1 files are blocked, only interactive commands run. The right way to change that fleet-wide is one GPO at Computer Configuration / Administrative Templates / Windows Components / Windows PowerShell / Turn on Script Execution. Walks the round trip end to end on Windows Server 2022 + a Win10 client: verify the default Restricted state, create the GPO and set RemoteSigned (Allow local scripts and remote signed scripts), link to a pilot Test Computers OU, gpupdate /force + reboot on the client, confirm Get-ExecutionPolicy now reports RemoteSigned, then flip the GPO to Disabled to demonstrate rollback (returns to Restricted). Includes the five execution policies (Restricted / AllSigned / RemoteSigned / Unrestricted / Bypass), Get-ExecutionPolicy -List interpretation (MachinePolicy beats everything when the GPO is in effect), and the six common pitfalls (computer-vs-user OU link, missed reboot, Unrestricted-as-default, Not-Configured-vs-Disabled rollback semantics, mixed user+computer policies, and the powershell.exe -ExecutionPolicy Bypass admin-bypass that means execution policy is a safety not a security boundary - pair with AppLocker or WDAC for real restriction).
Remove-AppxPackage disappears the next time provisioning runs the OS image; the right tool for keeping consumer UWP apps (Microsoft Store, Xbox, Solitaire, Mixed Reality Portal) off business endpoints is AppLocker Packaged app Rules pushed by Group Policy. Walks the full GPO end-to-end: create + link a new GPO at the OU/domain root, configure the Application Identity service to start automatically (AppLocker's hard dependency), import a 132-rule AppLocker baseline XML, scope the rules with either publisher exceptions on broad Allow rules or explicit per-package Deny rules, switch enforcement mode from Audit-only to Enforce rules, gpupdate, verify on a domain-joined client (Application Identity running, Microsoft Store / Xbox / Solitaire all hit 'This app has been blocked by your system administrator'). Includes the SKU gotcha (AppLocker only enforces on Enterprise / Education, not Pro / Home), the audit-only safety net, the AppLocker event-log IDs (8020 = blocked, 8021 = would-be-blocked) for reporting, and the local-admin-bypass test trap.
