Introducing the Windows 10 Business Secure Configuration FrameworkAlex Fields
Update March 2023: This publication has been updated significantly and renamed as well. It is now called The SMB Guide to Threat Defense and Microsoft Defender in Microsoft 365 Business Premium Plans. This guide describes implementation of Microsoft Defender for Office 365 as well as Microsoft Defender for Business, and more! The product still includes supporting materials such as scripts and templates to help you implement each of the three security profiles. Get the product here. It is also included in the Consultant’s Bundle.
Microsoft has published guidance with respect to securing Enterprise workstations, however this type of literature is lacking for the small business. Specifically, Windows 10 Business (part of Microsoft 365 Business) does not contain all of the same software and features as the Enterprise editions of Windows 10 and Microsoft 365.
Therefore, I have parsed out and constructed a new set of security profiles loosely based on the Enterprise framework, but which contain simplified policies that are 100% compatible with Windows 10 Business! This resource should save you a ton of guesswork and time, and will be even easier to implement than what I previously published. Take a look.
The Windows 10 Business Secure Configuration Profiles
The new implementation guide also includes additional resources such as templates and scripts.
Drawing on my own experience implementing Microsoft 365 Business as well as Microsoft’s literature for the Enterprise, I have designed three basic profiles:
- Baseline: This profile is appropriate for use in most small business environments and is also BYOD-friendly. The goal is not to impose too many restrictions while at the same time allowing the company to manage and secure the workstation.
- Standard: Corporate security is a more advanced profile with tighter security and restrictions via the Windows MDM security baseline provided by Microsoft. However, users are still able to install applications and customize many settings.
- Strict: This profile uses Autopilot to remove local admin. As well, Conditional Access to block unmanaged devices. The Autopilot deployment process and baseline modifications are both described in the guide.
The typical implementation will always begin by implementing the Baseline security profile first, and then progressing up through the levels using the guidance I have laid out in the accompanying how-to doc.
Possible extensions to the framework
Although I only created three profiles for simplicity’s sake on this project, it would be possible to extend the framework further, for example:
A more basic security profile may simply forgo implementing the Enhanced security device configuration profiles, while still requiring device compliance and monitoring, and maybe even app protection.
On the other end, a more restrictive/specialized workstation may also impose restrictions on web browsing and/or include application whitelisting. These controls, however, would likely be achieved with third-party products. The three in the middle is what I have already built out for you, and I think those should cover 95% of the small and mid-sized businesses that I regularly consult with.
I hope that you enjoy this product as much as I do. It saves me loads of time as I implement secure configurations for other customers who are adopting Microsoft 365 Business as their new technology platform.
Drop me a line and let me know what you think of the product, and THANK YOU for your support–seriously, you all are awesome.