May 9 Windows Boot Manager mitigation and Optional Overrides for Baseline still required?

[agpt8]

As the script has been updated for Microsoft 23H2 Security Baseline, are the measures recommended in the README, specifically the May 9 Windows Boot Manager and the Optional Overrides still applicable and needs to be applied?

The Optional overrides wiki page mentions that those features were disabled by the 22H2 baseline.

And May 9th one should be already applied on Windows for all newer ISOs and machines running latest updates, right?

Do we still need to apply these explicitly? I ask this as it has been a while since I ran this module. It has been updated significantly and I will be running it again.

[HotCakeX]

Hi,
Yes they're still both required.
The official document includes the timing of the updates

As soon as the manual method is no longer required and Windows update starts applying it automatically, it will be removed from here too.

The ISOs are updated with the new revocations list, but they aren't applied automatically. The Harden Windows Security module/script applies them. Based on that document, in January 2024 the procedure changes and some time later in 2024 it will all be applied automatically.

About overrides for Microsoft Security baselines, you can download the latest zip from here, it includes 2 Excel files, one for all the configurations and the other for delta changes. The optional overrides in this repo aren't in those changes. I don't think the need for these optional overrides will ever go away because Microsoft Security baselines are geared towards high security environments and enterprises, so they disable some features that are useful for home users, that's why the optional overrides exist. They are also necessary to be applied if running the module or script in Azure VMs.

I updated the document with better wording to show that they aren't only for 22H2.