A couple of days ago Microsoft’s announced security baselines for Windows 10 v1607 and Windows Server 2016. No SCM cab files available yet (expected by the end of October), you could download only documentation and related collaterals:
– Windows Defender settings are now part of the Windows baseline.
– Enforcing the blocking of use of SSL 3.0 and out-of-date ActiveX controls in Internet Explorer.
– Disabling the Mobile Hotspot feature.
– Improvements in auditing settings.
– Change in User Rights Assignment so that administrators can choose to enable Remote Desktop.
– Continued removing unnecessary enforcement of defaults, consistent with our previously-documented philosophy.
– Settings related to Microsoft Edge browser have been removed from Windows Server baselines as Microsoft Edge is no longer present in Windows Server.
Original blog post on Microsoft Security Guidance: