SOLVED

Windows 10 Best Practices

Iron Contributor

Hi All

 

Is there such a thing as a Windows 10 Best Practices doc / guidance or this is just driven by client requirements?

 

Setting up a Windows 10 PoC and just wondered if there was a BP on Device Restrictions  / Endpoint Protection etc.

 

Info appreciated

5 Replies
best response confirmed by Oliver Kieselbach (MVP)
Solution

@Stuart King 

Not sure if there exists a comprehensive "policy" but for a start you should adopt security baseline. For other things to consider: 
1) Monitoring - consider implementing Windows Analytics https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-overview
2) Data security - protect sensitive data with backups - OneDrive Enterprise State Roaming with KFM is a good starting point

For Intune specific - I'm not a fan of using Device restriction policies as they tend to affect UX a lot - do that only when you have to cut the access. 

Intune also doesn't yet expose full capability of CSP policies, UI doesn't reflect it. You have a LOT more settings available by configuring CSP policies directly. 

 


@Aleksander Pawlak wrote:

@Stuart King 

Not sure if there exists a comprehensive "policy" but for a start you should adopt security baseline. For other things to consider: 

@Aleksander Pawlak 

 

Hi Buddy

 

Thanks very much for your reply.

 

Can you elaborate on "adopt security baseline"?

 

I see that there is Security Baselines in Intune and the following article relates to W10 1809:

 

https://docs.microsoft.com/en-us/intune/security-baselines

 

Is this info relevant for and can be used on 1709?

 

Info appreciated

Hey

1) 1709 is end of service since April 9, 2019 - refer to https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet
2) Quite few baseline settings for 1809 baseline exist in 1709, however you can have no guarantee they are running OK. If you'd apply 1809 baseline to older version, you'd get a lot of errors for every setting that is tried to be set but not present in 1709 - which is a nightmare from compliance and reporting perspective.
3) https://blogs.technet.microsoft.com/ausoemteam/2017/10/20/final-security-baseline-for-windows-10-ver... - you can try creating device configuration for 1709 using this security baseline settings - you can either try to run a script to invoke the baseline configuration, or deploy each setting in a configuration profile - however I suspect there's a lot of manual labor included. I'd strongly opt for upgrading to 1809, which is designated for broad deployment https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1809-designated-for-br...  or 1903 if you want a fresher experience. 


Hope this helps!
Alex Pawlak

 


@Aleksander Pawlak wrote:

Hey

1) 1709 is end of service since April 9, 2019 - refer to https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet
2) Quite few baseline settings for 1809 baseline exist in 1709, however you can have no guarantee they are running OK. If you'd apply 1809 baseline to older version, you'd get a lot of errors for every setting that is tried to be set but not present in 1709 - which is a nightmare from compliance and reporting perspective.
3) https://blogs.technet.microsoft.com/ausoemteam/2017/10/20/final-security-baseline-for-windows-10-ver... - you can try creating device configuration for 1709 using this security baseline settings - you can either try to run a script to invoke the baseline configuration, or deploy each setting in a configuration profile - however I suspect there's a lot of manual labor included. I'd strongly opt for upgrading to 1809, which is designated for broad deployment https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1809-designated-for-br...  or 1903 if you want a fresher experience. 


Hope this helps!
Alex Pawlak


@Aleksander Pawlak 

 

Fantastic answer, thank you very much.

 

Final question, could I then use Intune Update Rings to upgrade the 1709 devices to 1809?

 

Is this an Enterprise only feature or will it work on Pro editions?

 

Info appreciated

Intune update rings use Windows Update for Business: 

https://docs.microsoft.com/en-us/windows/deployment/update/waas-manage-updates-wufb

 

Windows Update for Business is a free service that is available for Windows Pro, Enterprise, Pro for Workstation, and Education editions - as per above link :) You don't have to use Intune or any cloud service at all, but its way easier that way 

Intune leverages this functionality to manage settings for client PCs defined in update rings

Best regards

 

Alex Pawlak

1 best response

Accepted Solutions
best response confirmed by Oliver Kieselbach (MVP)
Solution

@Stuart King 

Not sure if there exists a comprehensive "policy" but for a start you should adopt security baseline. For other things to consider: 
1) Monitoring - consider implementing Windows Analytics https://docs.microsoft.com/en-us/windows/deployment/update/windows-analytics-overview
2) Data security - protect sensitive data with backups - OneDrive Enterprise State Roaming with KFM is a good starting point

For Intune specific - I'm not a fan of using Device restriction policies as they tend to affect UX a lot - do that only when you have to cut the access. 

Intune also doesn't yet expose full capability of CSP policies, UI doesn't reflect it. You have a LOT more settings available by configuring CSP policies directly. 

View solution in original post