Forum Discussion
Windows 10 Best Practices
Hi All
Is there such a thing as a Windows 10 Best Practices doc / guidance or this is just driven by client requirements?
Setting up a Windows 10 PoC and just wondered if there was a BP on Device Restrictions / Endpoint Protection etc.
Info appreciated
StuartK73
Not sure if there exists a comprehensive "policy" but for a start you should adopt security baseline. For other things to consider:
1) Monitoring - consider implementing Windows Analytics https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-overview
2) Data security - protect sensitive data with backups - OneDrive Enterprise State Roaming with KFM is a good starting point
For Intune specific - I'm not a fan of using Device restriction policies as they tend to affect UX a lot - do that only when you have to cut the access.
Intune also doesn't yet expose full capability of CSP policies, UI doesn't reflect it. You have a LOT more settings available by configuring CSP policies directly.
- AlexPawlakBrass Contributor
StuartK73
Not sure if there exists a comprehensive "policy" but for a start you should adopt security baseline. For other things to consider:
1) Monitoring - consider implementing Windows Analytics https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-overview
2) Data security - protect sensitive data with backups - OneDrive Enterprise State Roaming with KFM is a good starting point
For Intune specific - I'm not a fan of using Device restriction policies as they tend to affect UX a lot - do that only when you have to cut the access.
Intune also doesn't yet expose full capability of CSP policies, UI doesn't reflect it. You have a LOT more settings available by configuring CSP policies directly.- StuartK73Iron Contributor
AlexPawlak wrote:StuartK73
AlexPawlak
Not sure if there exists a comprehensive "policy" but for a start you should adopt security baseline. For other things to consider:Hi Buddy
Thanks very much for your reply.
Can you elaborate on "adopt security baseline"?
I see that there is Security Baselines in Intune and the following article relates to W10 1809:
https://docs.microsoft.com/en-us/intune/security-baselines
Is this info relevant for and can be used on 1709?
Info appreciated
- AlexPawlakBrass Contributor
Hey
1) 1709 is end of service since April 9, 2019 - refer to https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet
2) Quite few baseline settings for 1809 baseline exist in 1709, however you can have no guarantee they are running OK. If you'd apply 1809 baseline to older version, you'd get a lot of errors for every setting that is tried to be set but not present in 1709 - which is a nightmare from compliance and reporting perspective.
3) https://blogs.technet.microsoft.com/ausoemteam/2017/10/20/final-security-baseline-for-windows-10-version-1709/ - you can try creating device configuration for 1709 using this security baseline settings - you can either try to run a script to invoke the baseline configuration, or deploy each setting in a configuration profile - however I suspect there's a lot of manual labor included. I'd strongly opt for upgrading to 1809, which is designated for broad deployment https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1809-designated-for-broad-deployment/ba-p/389540 or 1903 if you want a fresher experience.
Hope this helps!
Alex Pawlak