[jmau111]

> the guide recommends application updates only for enterprise users

No. Maybe read this part https://github.com/jmau111-org/windows_security#7-recommenta...

> strong passwords [...] counter to NIST and other accepted guidelines

I don't think it's the case. Even if it is, I would disagree with that point of view.

> It should be mentioned that common Windows antivirus and endpoint security software is in itself a security risk [...] Similarly, phishing attacks are enabled by common Windows-based applications such as Outlook

Lots of confusions here, to me, but thanks for your comment overall. In fact, the guide tries to keep things simple but could certainly be improved on some points.

[cirthaya]

That part says "Keep the system up-to-date (Windows update): download and install all patches.". But Windows Update doesn't update any applications for third parties and not even all Microsoft applications. So the recommendations for individuals are problematic as described. Only the section for "admins (businesses, organizations)" mentioning "e.g. Windows Server" mentions application updates.

[jmau111]

erf, that's what I mean by "download and install all patches," but I'll try to write that better if it's confusing.

[cirthaya]

I'd suggest something like "Keep the system and applications up to date. Install all patches from Windows Update immediately and preferrably automatically. Use applications' automatic updates or package managers such as chocolatey.