Microsoft
MicrosoftHaslM for the GPO question for DC. You do not need the DC and MS GPO for a Domain Controller. If you look at the 2 policies with Policy Analyzer you will see the GPOs are very similar. We contemplated making the DC GPO additive at one point but haven't yet gone there as it would cause a change that frankly isn't probably worth the churn.
To the question on Server 2016. This one comes up more often than it shoudl which means we need to get a blog posted on this 🙂 We said we were going to do it a few months ago and dropped the ball so I will say we will have once posted in the next 30 days (ish). In the interim let's see if this helps as it will be the jist of the blog. Ideally we would be able to go back and revisit every baseline at every release but the reality is we cannot. We would also love to say just implement the latest and you will be good but we cannot say that either. What we encourage customers to do is 1) evaluate the changes between 2006 and the current Server release with Policy Analyzer and then make an informed decision if any of the updated settings would have a negative effect in your environment.
Deleted to your question. If deployed with UEFI Lock then yes it would be a physical touch to remove it