My Essential Checklist for Settting up any New Windows 10 Pro DeviceAlex Fields
This post features the things I do when setting up any (personal) Windows 10 Pro device, whether it’s for myself, my family members, clients, or anyone really. I usually do these things with security / compliance in mind–but some of it comes down to preference (I think the differences between these will be obvious). Let me share this list with you now. Feel free to add your own favorites or other notes in the comments section, too!
Harden your BIOS/UEFI: Before the OS loads, something called UEFI (formerly known as BIOS) boots up first, and remains running the entire time your PC is on. There are some really great security features built-in to modern UEFI–you should be aware of them, and you should absolutely leverage them. You can usually get in here by paying attention to what your screen says before Windows loads–often “Setup” is accessed by pressing “Delete” or “F1” or some other “F-key.” Make sure TPM is enabled if you have that option, and SecureBoot, for sure. See more here.
Microsoft account: You can sign into your Windows 10 Device with a Microsoft account, which is recommended since it comes with some great benefits such as syncing certain settings and preferences, being able to store your BitLocker keys in the cloud, and more! Be sure to enable two-factor authentication on this account, too.
Setup Hello/PIN: Hello is a personal sign-in that is to this specific device. Usually this involves setting up a PIN of your choosing, but you can also configure other options (e.g. if you have finger print reader or infra-red camera for facial recognition). You need to select a non-trivial PIN (not 1111 or 1234), and make sure it is different for different devices, or you’re missing the point of this technology. Start > Settings > Accounts > Sign–in Options > Find Setup under Windows Hello.
Updates: I almost didn’t include this because it’s so obvious, but then I thought: someone out there will take this checklist list too literally and overlook this critical step, so I better include it. Seriously, get every available update from Settings > Update & Security.
Enable BitLocker: BitLocker will encrypt your entire hard drive. If you access or store Personally Identifiable Information (PII) or Electronic Health Protected Information (ePHI), then this is a MUST. And really, why wouldn’t you just do it anyway? Visit Control Panel > BitLocker Drive Encryption to turn it on. More on how to enable this without TPM here.
Privacy settings: Everyone has a different level of comfort when it comes to these settings. I try to disable anything that looks like it might be sharing marketing data, location or other information unless it specifically benefits me, and those benefits are made clear to me. If I don’t know what it is, I disable it–it can always be turned on later. Visit Start > Settings > Privacy to browse what is going on with your device and data. Not using your camera? Don’t want other apps to access it, or the other parts of your device? Then put the smack-down on that stuff right from here.
Enable UAC: User Account Control (UAC) is not an optional protection. If you leave it off, you are basically inviting malware to do whatever the hell it wants on your PC, without you noticing. So turn it on. Control Panel > User Accounts select Change User Account Control settings. Make sure the slider is all the way up at Always notify. Click OK to save changes.
Disable SMBv1: Version 1 of the file sharing protocol (Server Message Block or SMB) is out of date and contains major security vulnerabilities. The recent WannaCry threat exploited known weaknesses in its architecture. Granted, there is a patch available for that particular threat, but most people will not require this old protocol to be enabled. Who knows what future variants will be able to exploit here. From Control Panel go to Programs and Features > Turn Windows Features on or off. Scroll down to find SMB 1.0/CIFS File Sharing Support. Un-check the box and click OK.
Disable discovery & file sharing: Go to Start > Settings > Network & Internet and click Sharing options. Unless you have a good reason, don’t allow files to be shared from this device. This means you should expand all the network types on this page and pick the options to Turn off network discovery and Turn off file and printer sharing. By default, “Private” networks such as your home network will allow this, while “Public” networks will have it disabled. Unless you really need it for some reason, I usually just disable it for either/or, so that when you switch to a new WiFi network, or if a user joins a new network but picks incorrectly between public and private, you know that these ports will still be closed.
Set folder options: Two very annoying “View” settings are enabled in Windows Explorer by default, that I typically recommend disabling. These settings affect the experience of browsing through the folders & files on your PC. You might find other default view settings you’d like to change as well, these are just what I recommend. Go to Windows Explorer, click View in the ribbon, then Options. Under the View tab, find each of the following, and remove the checkmark:
- Hide extensions for known file types (then you don’t have to guess what kind of file something is)
- Show sync provider notifications (this is code for “marketing OneDrive ads to you”)
Users & Groups: Who else has access to this machine? Be sure they sign-in using a different user account, and make sure those accounts are not Administrators on the device. Go to Start > Settings > Accounts > Other people and choose Add someone else to this PC. You don’t have to use a Microsoft account here (again, there are benefits to doing so), just know that you can also find the option to Add a user without a Microsoft account. By default a new account like this will be a “Standard” type user (non-Administrator).
Install & Set Default Programs: For example, if you use Outlook, then first install Office (from Office 365 or other install media), and then afterward, go to Start > Settings > System > Default apps. At the bottom you can choose to Set defaults by app. Here, we make sure Outlook is set as your default app for Email. I also install the Chrome browser and set it as my default browser, etc. Visit Ninite to download & install the latest versions for all of your favorite common apps at once.
Antivirus/Antimalware: Pick a good, reputable product and run with it. Webroot, Avast, AVG–anything really. I usually also add Malwarebytes and Malwarebytes Anti-Exploit, which are available in free and pay versions.
Ad-blocker: Speaking of web browsers, I use and recommend uBlock Origin, which is free, but there are other products available too. Ads are distracting, unnecessary, and can contain malicious code or links. So having these blocked is not even optional anymore, in my opinion.
HTTPS Everywhere: Another plugin I use and recommend with Chrome is HTTPS Everywhere. This plugin will always choose HTTPS if it is available, over HTTP. The “S” stands for secure, and it means that your browser traffic will remain invisible to prying eyes. It may not make you invisible to your Employer or Network Administrator (InPrivate or Incognito mode doesn’t do that, either), but it does give you some level of assurance that those who shouldn’t be watching you online, aren’t, and that the places you are visiting are who they claim to be.
Backup: Too often overlooked. You need a backup. Modern ransom-ware is scary stuff, in some cases it will even seek out and attempt to destroy backup repositories, so having a cloud-based or other offsite/offline backup is highly recommended. iDrive, CrashPlan, Mozy, Carbonite, Backblaze–the list goes on. Windows includes a free backup utility under Start > Settings > Update & Security > Backup, but you’ll need an external USB drive. Not my favorite option to rely on, but it’s there if you need it.
Password management: Use good password hygiene. That means lengthy passwords with good complexity, different passwords for every site, and two-factor authentication (e.g. your mobile device) wherever it is offered. LastPass or 1Password can be lifesavers for managing this mess. Be sure that you can remember the “master” password for these utilities, and enable a second factor on them, as well!
Just be smart: There are probably many other things we could add to this list, but the most important is to keep your wits about you. Keep an eye on your devices, watch what you say or share with others online, be wary of incoming emails and other communications, especially those containing attachments. Just. Be. Smart. This one in particular is just too important to ignore.
Post-script: I just recently came across this resource, too, from an MVP and trusted advisor, Small Business Susan. Great stuff in here.