Apps for Enterprise Group Policy Best Practice

%3CLINGO-SUB%20id%3D%22lingo-sub-2627046%22%20slang%3D%22en-US%22%3EApps%20for%20Enterprise%20Group%20Policy%20Best%20Practice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2627046%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20there%2C%3C%2FP%3E%3CP%3EThis%20might%20be%20a%20very%20generic%20question%2C%20but%20we%20are%20preparing%20to%20deploy%20Apps%20for%20Enterprise%20across%20our%20estate%2C%20and%20were%20looking%20at%20the%20new%20group%20policy%20admx%20templates%20and%20debating%20what%20policies%20and%20options%20to%20configure.%3C%2FP%3E%3CP%3EWe%20were%20wondering%20if%20there%20was%20any%20sort%20of%20%22best%20practice%22%20or%20top%20recommendations%20for%20this%20sort%20of%20thing.%20Talking%20things%20like%20OST%20retention%20defaults%2C%20blocking%20PSTs%2C%20default%20file%20save%20locations%20(i.e.%20governance%20around%20OneDrive)%20that%20sort%20of%20thing.%3C%2FP%3E%3CP%3EWe%20have%20got%20the%20security%20baseline%20templates%20already%20downloaded%20etc%2C%20but%20this%20is%20more%20around%20user%20config%20options.%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3CP%3EChris%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2627046%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EOffice%20365%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20Apps%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOn-Premises%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EProPlus%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2627211%22%20slang%3D%22en-US%22%3ERe%3A%20Apps%20for%20Enterprise%20Group%20Policy%20Best%20Practice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2627211%22%20slang%3D%22en-US%22%3EAt%20my%20previous%20employer%20we%20used%20the%20Security%20Baseline%20as%20the%20default%20settings%20if%20not%20explicitly%20other%20requested%20setting%20from%20the%20business.%20In%20other%20words%2C%20I%20don't%20believe%20there's%20a%20%22best%20practice%22%20as%20all%20orgs.%20have%20different%20business%20needs.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-security-baselines%2Fbg-p%2FMicrosoft-Security-Baselines%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-security-baselines%2Fbg-p%2FMicrosoft-Security-Baselines%3C%2FA%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2628038%22%20slang%3D%22en-US%22%3ERe%3A%20Apps%20for%20Enterprise%20Group%20Policy%20Best%20Practice%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2628038%22%20slang%3D%22en-US%22%3EYou%20can%20also%20look%20at%20the%20Security%20Policy%20Advisor%2C%20which%20is%20now%20built%20in%20in%20the%20M365%20Apps%20admin%20center%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FDeployOffice%2Foverview-of-security-policy-advisor%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FDeployOffice%2Foverview-of-security-policy-advisor%3C%2FA%3E%3C%2FLINGO-BODY%3E
New Contributor

Hi there,

This might be a very generic question, but we are preparing to deploy Apps for Enterprise across our estate, and were looking at the new group policy admx templates and debating what policies and options to configure.

We were wondering if there was any sort of "best practice" or top recommendations for this sort of thing. Talking things like OST retention defaults, blocking PSTs, default file save locations (i.e. governance around OneDrive) that sort of thing.

We have got the security baseline templates already downloaded etc, but this is more around user config options.

Thanks

Chris

3 Replies
At my previous employer we used the Security Baseline as the default settings if not explicitly other requested setting from the business. In other words, I don't believe there's a "best practice" as all orgs. have different business needs.

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baseline...
You can also look at the Security Policy Advisor, which is now built in in the M365 Apps admin center: https://docs.microsoft.com/en-us/DeployOffice/overview-of-security-policy-advisor
Great thank you very much