Introducing the Windows 10 Business Secure Configuration Framework

Back to Blog
04Oct2019

Introducing the Windows 10 Business Secure Configuration Framework

Update March 2023: This publication has been updated significantly and renamed as well. It is now called The SMB Guide to Threat Defense and Microsoft Defender in Microsoft 365 Business Premium Plans. This guide describes implementation of Microsoft Defender for Office 365 as well as Microsoft Defender for Business, and more! The product still includes supporting materials such as scripts and templates to help you implement each of the three security profiles. Get the product here. It is also included in the Consultant’s Bundle.

Microsoft has published guidance with respect to securing Enterprise workstations, however this type of literature is lacking for the small business. Specifically, Windows 10 Business (part of Microsoft 365 Business) does not contain all of the same software and features as the Enterprise editions of Windows 10 and Microsoft 365.

Therefore, I have parsed out and constructed a new set of security profiles loosely based on the Enterprise framework, but which contain simplified policies that are 100% compatible with Windows 10 Business! This resource should save you a ton of guesswork and time, and will be even easier to implement than what I previously published. Take a look.

The Windows 10 Business Secure Configuration Profiles

The new implementation guide also includes additional resources such as templates and scripts.

Drawing on my own experience implementing Microsoft 365 Business as well as Microsoft’s literature for the Enterprise, I have designed three basic profiles:

  • Baseline: This profile is appropriate for use in most small business environments and is also BYOD-friendly. The goal is not to impose too many restrictions while at the same time allowing the company to manage and secure the workstation.
  • Standard: Corporate security is a more advanced profile with tighter security and restrictions via the Windows MDM security baseline provided by Microsoft. However, users are still able to install applications and customize many settings. 
  • Strict: This profile uses Autopilot to remove local admin. As well, Conditional Access to block unmanaged devices. The Autopilot deployment process and baseline modifications are both described in the guide.

The typical implementation will always begin by implementing the Baseline security profile first, and then progressing up through the levels using the guidance I have laid out in the accompanying how-to doc.

Possible extensions to the framework

Although I only created three profiles for simplicity’s sake on this project, it would be possible to extend the framework further, for example:

A more basic security profile may simply forgo implementing the Enhanced security device configuration profiles, while still requiring device compliance and monitoring, and maybe even app protection.

On the other end, a more restrictive/specialized workstation may also impose restrictions on web browsing and/or include application whitelisting. These controls, however, would likely be achieved with third-party products. The three in the middle is what I have already built out for you, and I think those should cover 95% of the small and mid-sized businesses that I regularly consult with.

I hope that you enjoy this product as much as I do. It saves me loads of time as I implement secure configurations for other customers who are adopting Microsoft 365 Business as their new technology platform.

Drop me a line and let me know what you think of the product, and THANK YOU for your support–seriously, you all are awesome.

Products, Technical , , , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

21Feb

What are the benefits of using Autopilot in Microsoft 365? And, how to configure it.

Autopilot is a "low touch" or "no touch" deployment method that can be leveraged by IT departments to enable self-service computer deployments. Users can basically pick up a new Windows 10 device, sign in, and have all of their applications and data come to them... read more
25Jan

Tutorial: How to downgrade to the old Office 365 Message Encryption

I recently shared the method used to enable the "new" Office 365 Message Encryption features, built on Azure Information Protection. That process can be followed either to setup a new tenant with the latest version (v2), or to upgrade an existing tenant from the old... read more
14Jul

U.K. Cyber Essentials Simple Assessment Tool

I recently came across the U.K.'s Cyber Essentials, as published by the National Cyber Security Centre (NCSC). Not two days after I learned about this simple control framework while on a conference call spanning several time zones with friends from around the world, that I... read more
22Sep

Tutorial: How to Setup a Site-to-Site VPN between an Azure Virtual Network and WatchGuard Firewall, part 2

In this article, we will cover how to configure a WatchGuard firewall for site-to-site VPN with an Azure Virtual Network. Prior to this, you will have already built your Azure Virtual Network and related objects, to enable the connection. See the previous article for details... read more
Hybrid Azure AD Join or not?
08Jul

Should I use Hybrid Azure AD Join or not?

I consulted with an MSP recently about one of their larger customers, and whether or not to implement Hybrid Azure AD Join for existing Windows workstations (joined to traditional Active Directory). The classic consultant answer of course is, "It depends." In certain cases, perhaps. But... read more
19Oct

Azure Virtual Network: What is the difference between Policy-based and Route-based VPN?

You want to configure a Site-to-Site (S2S) VPN tunnel from an on-premises hardware VPN device, such as your firewall, and an Azure Virtual Network. For this, you require several objects in Azure. One of those is a "virtual network gateway"--which is basically just a software... read more
More details on Microsoft Defender for Business (MDB)
18Nov

More details on Microsoft Defender for Business (MDB)

Perhaps the biggest Microsoft product announcement this year for SMB customers was Microsoft Defender for Business, an Enterprise-grade endpoint security solution which is based on the wildly successful Microsoft Defender for Endpoint product. As previously noted on this blog, MDB will be included with Microsoft... read more
29Nov

Leveraging Conditional Access to enforce either MDM or MAM–user’s choice

In some circumstances, you might want users to have their choice: Use the native mail apps and have their mobile devices managed via Intune MDM, OR, Use a managed application such as Outlook on their own personal devices, and opt out of full device management. The... read more
26Nov

Coming soon to an Azure AD/Microsoft 365 subscription near you: Life without passwords?!

I previously commented when Microsoft released new password guidance, which is backed by their own research as well as that of NIST. A quick recap of that: Require passwords have at least 8 characters. Longer isn't necessarily better, as they cause users to choose predictable... read more
20May

New Baseline Conditional Access Policies in Azure AD

Remember over a year ago when the first Baseline Conditional Access policy dropped? It was simple enough and most definitely a good move, but of course, most people still aren't using it. I have heard some nightmarish statistic--something like less than 2 percent of admin... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me