Introducing the Windows 10 Business Secure Configuration FrameworkAlex Fields
Microsoft has published guidance with respect to securing Enterprise workstations, however this type of literature is lacking for the small business. Specifically, Windows 10 Business (part of Microsoft 365 Business) does not contain all of the same software and features as the Enterprise editions of Windows 10 and Microsoft 365.
Therefore, I have parsed out and constructed a new set of security profiles loosely based on the Enterprise framework, but which contain simplified policies that are 100% compatible with Windows 10 Business! This resource should save you a ton of guesswork and time, and will be even easier to implement than what I previously published. Take a look.
The Windows 10 Business Secure Configuration Profiles
The scripts to import all of the policy and configuration profile objects are posted on my GitHub repository under Windows 10. As well, I have a corresponding implementation guide available at GumRoad ($25 USD).
You can also view it for free online (non-downloadable/non-printable).
Drawing on my own experience implementing Microsoft 365 Business as well as Microsoft’s literature for the Enterprise, I have designed three basic profiles:
- Enhanced security profile: This profile is appropriate for use in most small business environments and is also BYOD-friendly. The goal is not to impose too many restrictions while at the same time allowing the company to manage and secure the workstation and its applications. Many of the more advanced security features such as Attack Surface Reduction are left in audit mode so that events can be monitored, but no actions will be taken against the device.
- Corporate security profile: Corporate security is a more advanced profile with tighter security and restrictions via the Windows 10 MDM security baseline provided by Microsoft. However, users are still able to install applications and customize many settings. Before moving to this profile, use the Enhanced profile to audit events related to advanced Microsoft Defender features, and use that data to make exceptions as needed (the guide describes how to do this).
- High security profile: This profile uses Autopilot to remove local admin. As well, Conditional Access to block unmanaged devices. The Autopilot deployment process and baseline modifications are both described in the guide.
The typical implementation will always begin by implementing the Enhanced security profile first, and then progressing up through the levels using the guidance I have laid out in the accompanying how-to doc.
To get started, all you need to do is download and run:
NOTE: None of the profiles or policies will be assigned by these scripts, they will only be imported. The guide will walk you through the proper order of implementation so that you have the smoothest roll-out.
And again, the GumRoad link.
Possible extensions to the framework
Although I only created three profiles for simplicity’s sake on this project, it would be possible to extend the framework further, for example:
A more basic security profile may simply forgo implementing the Enhanced security device configuration profiles, while still requiring device compliance and monitoring, and maybe even app protection.
On the other end, a more restrictive/specialized workstation may also impose restrictions on web browsing and/or include application white listing. These controls, however, would likely be achieved with third-party products. The three in the middle is what I have already built out for you, and I think those should cover 95% of the small and mid-sized businesses that I regularly consult with.
I hope that you enjoy this product as much as I do. It saves me loads of time as I implement secure configurations for other customers who are adopting Microsoft 365 Business as their new technology platform.
Drop me a line and let me know what you think of the product, and THANK YOU for your support–seriously, you all are awesome.