Forum Discussion
Windows 10 Best Practices
StuartK73
Not sure if there exists a comprehensive "policy" but for a start you should adopt security baseline. For other things to consider:
1) Monitoring - consider implementing Windows Analytics https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-overview
2) Data security - protect sensitive data with backups - OneDrive Enterprise State Roaming with KFM is a good starting point
For Intune specific - I'm not a fan of using Device restriction policies as they tend to affect UX a lot - do that only when you have to cut the access.
Intune also doesn't yet expose full capability of CSP policies, UI doesn't reflect it. You have a LOT more settings available by configuring CSP policies directly.
AlexPawlak wrote:StuartK73
AlexPawlak
Not sure if there exists a comprehensive "policy" but for a start you should adopt security baseline. For other things to consider:
Hi Buddy
Thanks very much for your reply.
Can you elaborate on "adopt security baseline"?
I see that there is Security Baselines in Intune and the following article relates to W10 1809:
https://docs.microsoft.com/en-us/intune/security-baselines
Is this info relevant for and can be used on 1709?
Info appreciated
Hey
1) 1709 is end of service since April 9, 2019 - refer to https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet
2) Quite few baseline settings for 1809 baseline exist in 1709, however you can have no guarantee they are running OK. If you'd apply 1809 baseline to older version, you'd get a lot of errors for every setting that is tried to be set but not present in 1709 - which is a nightmare from compliance and reporting perspective.
3) https://blogs.technet.microsoft.com/ausoemteam/2017/10/20/final-security-baseline-for-windows-10-version-1709/ - you can try creating device configuration for 1709 using this security baseline settings - you can either try to run a script to invoke the baseline configuration, or deploy each setting in a configuration profile - however I suspect there's a lot of manual labor included. I'd strongly opt for upgrading to 1809, which is designated for broad deployment https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1809-designated-for-broad-deployment/ba-p/389540 or 1903 if you want a fresher experience.
Hope this helps!
Alex Pawlak
AlexPawlak wrote:Hey
1) 1709 is end of service since April 9, 2019 - refer to https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet
2) Quite few baseline settings for 1809 baseline exist in 1709, however you can have no guarantee they are running OK. If you'd apply 1809 baseline to older version, you'd get a lot of errors for every setting that is tried to be set but not present in 1709 - which is a nightmare from compliance and reporting perspective.
3) https://blogs.technet.microsoft.com/ausoemteam/2017/10/20/final-security-baseline-for-windows-10-version-1709/ - you can try creating device configuration for 1709 using this security baseline settings - you can either try to run a script to invoke the baseline configuration, or deploy each setting in a configuration profile - however I suspect there's a lot of manual labor included. I'd strongly opt for upgrading to 1809, which is designated for broad deployment https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1809-designated-for-broad-deployment/ba-p/389540 or 1903 if you want a fresher experience.
Hope this helps!
Alex PawlakFantastic answer, thank you very much.
Final question, could I then use Intune Update Rings to upgrade the 1709 devices to 1809?
Is this an Enterprise only feature or will it work on Pro editions?
Info appreciated
Intune update rings use Windows Update for Business:
https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufbWindows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro for Workstation, and Education editions - as per above link :-) You don't have to use Intune or any cloud service at all, but its way easier that way
Intune leverages this functionality to manage settings for client PCs defined in update rings
Best regardsAlex Pawlak
