Jul 15 2019 03:28 PM
Hi All
Is there such a thing as a Windows 10 Best Practices doc / guidance or this is just driven by client requirements?
Setting up a Windows 10 PoC and just wondered if there was a BP on Device Restrictions / Endpoint Protection etc.
Info appreciated
Jul 15 2019 11:13 PM
Solution@Stuart King
Not sure if there exists a comprehensive "policy" but for a start you should adopt security baseline. For other things to consider:
1) Monitoring - consider implementing Windows Analytics https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-overview
2) Data security - protect sensitive data with backups - OneDrive Enterprise State Roaming with KFM is a good starting point
For Intune specific - I'm not a fan of using Device restriction policies as they tend to affect UX a lot - do that only when you have to cut the access.
Intune also doesn't yet expose full capability of CSP policies, UI doesn't reflect it. You have a LOT more settings available by configuring CSP policies directly.
Jul 17 2019 01:41 AM
@Aleksander Pawlak wrote:@Stuart King
@Aleksander Pawlak
Not sure if there exists a comprehensive "policy" but for a start you should adopt security baseline. For other things to consider:
Hi Buddy
Thanks very much for your reply.
Can you elaborate on "adopt security baseline"?
I see that there is Security Baselines in Intune and the following article relates to W10 1809:
https://docs.microsoft.com/en-us/intune/security-baselines
Is this info relevant for and can be used on 1709?
Info appreciated
Jul 17 2019 01:52 AM
Hey
1) 1709 is end of service since April 9, 2019 - refer to https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet
2) Quite few baseline settings for 1809 baseline exist in 1709, however you can have no guarantee they are running OK. If you'd apply 1809 baseline to older version, you'd get a lot of errors for every setting that is tried to be set but not present in 1709 - which is a nightmare from compliance and reporting perspective.
3) https://blogs.technet.microsoft.com/ausoemteam/2017/10/20/final-security-baseline-for-windows-10-ver... - you can try creating device configuration for 1709 using this security baseline settings - you can either try to run a script to invoke the baseline configuration, or deploy each setting in a configuration profile - however I suspect there's a lot of manual labor included. I'd strongly opt for upgrading to 1809, which is designated for broad deployment https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1809-designated-for-br... or 1903 if you want a fresher experience.
Hope this helps!
Alex Pawlak
Jul 17 2019 03:09 AM
@Aleksander Pawlak wrote:Hey
1) 1709 is end of service since April 9, 2019 - refer to https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet
2) Quite few baseline settings for 1809 baseline exist in 1709, however you can have no guarantee they are running OK. If you'd apply 1809 baseline to older version, you'd get a lot of errors for every setting that is tried to be set but not present in 1709 - which is a nightmare from compliance and reporting perspective.
3) https://blogs.technet.microsoft.com/ausoemteam/2017/10/20/final-security-baseline-for-windows-10-ver... - you can try creating device configuration for 1709 using this security baseline settings - you can either try to run a script to invoke the baseline configuration, or deploy each setting in a configuration profile - however I suspect there's a lot of manual labor included. I'd strongly opt for upgrading to 1809, which is designated for broad deployment https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1809-designated-for-br... or 1903 if you want a fresher experience.
Hope this helps!
Alex Pawlak
Fantastic answer, thank you very much.
Final question, could I then use Intune Update Rings to upgrade the 1709 devices to 1809?
Is this an Enterprise only feature or will it work on Pro editions?
Info appreciated
Jul 17 2019 03:25 AM
Intune update rings use Windows Update for Business:
https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb
Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro for Workstation, and Education editions - as per above link :) You don't have to use Intune or any cloud service at all, but its way easier that way
Intune leverages this functionality to manage settings for client PCs defined in update rings
Best regards
Alex Pawlak
Jul 15 2019 11:13 PM
Solution@Stuart King
Not sure if there exists a comprehensive "policy" but for a start you should adopt security baseline. For other things to consider:
1) Monitoring - consider implementing Windows Analytics https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-overview
2) Data security - protect sensitive data with backups - OneDrive Enterprise State Roaming with KFM is a good starting point
For Intune specific - I'm not a fan of using Device restriction policies as they tend to affect UX a lot - do that only when you have to cut the access.
Intune also doesn't yet expose full capability of CSP policies, UI doesn't reflect it. You have a LOT more settings available by configuring CSP policies directly.