About this guidance
This guidance has been updated to cover the 1803 “April 2018 Update” of Windows 10 Enterprise. It builds on the previous Windows 10 ALPHA Mobile Device Management (MDM) guidance.
The NCSC has separate guidance on managing Windows 10 deployments using traditional Domain Controllers, Active Directory and Group Policies. Both documents will continue to be maintained.
This guidance was developed following testing performed on a Dell XPS 9360 running Windows Enterprise version 1803 (April 2018 Update), managed with Microsoft Intune (MDM) and Azure Active Directory (AAD). It applies only to Windows 10 versions newer than the April 2018 Update (version 1803) and to devices that are explicitly managed by MDM. Whilst the configuration policies have only been tested on Intune, all the configuration steps described here are supported by Microsoft’s Configuration Service Providers (CSP) interface. As such they will be applicable to any MDM solution which supports this interface.
Note that recommendations here are not compatible with Windows 10 Mobile devices – see the Windows 10 Mobile platform guidance documentation for recommended settings and configurations.
It’s important to remember that this guidance has been conceived as a way to satisfy the 12 End User Device Security Principles. As such, it consists of recommendations and should not be seen as a set of mandatory instructions requiring no further thought.
Risk owners and administrators should agree a configuration which balances business requirements, usability and security.
Differences in risk between MDM and Traditional management of Windows 10
| Risk | Explanation of difference |
|---|---|
| Windows Defender Firewall | On traditionally managed Windows devices, we recommend using the firewall to block outbound connections when the VPN is not active. This ensures all traffic from the device goes via the VPN. Currently, you can only partially manage the Windows Defender Firewall with the configuration service provider (CSP) interface (Firewall CSP). We will update this guidance once we believe the CSP can satisfy the configuration needs and can guarantee all traffic leaving the EUD will go via the VPN. |
Risk owners’ summary
We recommend the following architectural choices for Windows 10:
- All data from the device should be routed over a secure enterprise Virtual Private Network (VPN) to ensure the confidentiality and integrity of the traffic, and to allow the devices and data on them to be protected by enterprise protective monitoring solutions.
- Users are not permitted to install arbitrary third-party application on the device. Applications should be authorised by an administrator and deployed via a trusted mechanism.
- Most users should have accounts with no administrative privileges. Users that require administrative privileges should use a separate unprivileged account for email and web browsing. It is recommended that local administrator accounts have a unique strong password per device.
When configured in this way, risk owners should be aware of the following technical risks associated with this platform:
| Security Principle | Explanation of risks |
|---|---|
| Assured data-in-transit protection | Currently you cannot use MDM management to configure the built-in Windows firewall to explicitly block outbound connections when the VPN is not active. |
| Secure boot | Windows 10 can support secure boot, but this is dependent on supported and correctly configured hardware. |
Administrators’ deployment guide
Overview
To meet the principles outlined in the End User Devices Security Framework, several recommendations are given in the table below.
| Security Principle | Explanation |
|---|---|
| Assured data-in-transit protection | Use the Windows 10 Built-In VPN Client configured as per the NCSC customisation guide (available from [email protected]).
Use certificates for user or machine credentials. Windows Hello should be used to bind these credential to the device’s hardware. Currently you cannot use MDM management to configure the built-in Windows firewall to explicitly block outbound connections when the VPN is not active. |
| Assured data-at-rest protection | Use one of the following configurations to provide full volume encryption:
If using BitLocker, ensure to back up the recovery key to AAD. Windows 10 1803 (April Update) introduces automatic encryption upon AAD join. If you wish to set up pre-boot authentication such as BitLocker PIN, automatic encryption will need to be disabled and an administrator will need to set a BitLocker PIN on the device. BitLocker is not Foundation Grade certified. However, the NCSC has determined that the level of protection it provides is equivalent to Foundation Grade when configured as per this guidance. |
| Authentication | The user implicitly authenticates to the device by decrypting BitLocker on boot.
The user then has a secondary credential to use when authenticating to the platform after boot and when unlocking the device. A good user experience will be achieved by enabling Windows Hello for Business and allowing the user to log in with a PIN code, this PIN code can be the same as the one used to authenticate to BitLocker. For both Windows Hello and traditional passwords, the credential derives a key which protects other credentials that give access to corporate services. In an enterprise environment, the user will also be issued with an Azure Active Directory credential which will be required when they use a device for the first time. Windows Hello for Business also permits biometric unlock of devices but the strength of its security is difficult to measure. In cases where there is a business requirement to use biometric authentication, and the risks of doing so are understood, biometric authentication can be enabled. Accounts with administrative privileges should only be present on End User Devices used to perform administrative functions. User accounts with administrative privileges should have a strong password and ideally a second factor to authenticate them to the platform at logon and unlock time. |
| Secure boot | On Windows 10, this requirement is met on a correctly configured platform. Organisations deciding on new devices should aim for devices that meet the standards for firmware and hardware set out within this Microsoft page.
A UEFI password can make it more difficult for an attacker to modify the boot process. With physical access, the boot process can still be compromised. |
| Platform integrity and application sandboxing | No configuration is required. |
| Application whitelisting | An enterprise configuration can be applied to implement application control using AppLocker. A recommended sample configuration that only allows Administrator-installed applications to run is provided below.
Windows Defender Application Control can also be used to reinforce application control rules. As it does not offer the same granularity as AppLocker, the two technologies should be used alongside one another. A recommended sample configuration has also been provided below, the sample configuration allows applications from the private Microsoft Store for Business to also be installed. AppLocker can be used to restrict which pre-installed Windows Apps are available to users. If the public Microsoft Store is enabled it can control which applications a user can install. |
| Malicious code detection and prevention | Windows 10 includes Windows Defender Antivirus and Windows Defender SmartScreen. These attempt to detect malicious code for the platform. Cloud sample submission can be disabled. Alternatively, third party anti-malware products are available. If using a third-party product, those that implement the Anti-Malware Scan Interface (AMSI) should be preferred, to improve compatibility with future Feature and Quality Updates.
The Early Launch Anti-Malware (ELAM) driver provides signature checking for known bad drivers on ELAM compliant systems that are configured to use Secure Boot. Microsoft Store for Business or a Company Store can be used to distribute user-installable universal apps. Such stores should only contain vetted apps. If the public Microsoft Store is enabled, AppLocker and Windows Defender Application Control can be used to control which applications a user is able to install. Content-based attacks can be filtered by scanning capabilities in the enterprise. |
| Security policy enforcement | Disable un-enrolment from the MDM service. Settings applied to the device via the MDM service cannot then be modified or removed by unprivileged users. Organisations using Autopilot can force wiped devices to automatically enrol back into the MDM service, see the Zero-touch provisioning section below for more details. |
| External interface protection | Interfaces can be configured using MDM policy. USB removable media can be blocked through MDM settings if required. Direct Memory Access (DMA) is possible from peripherals connected to some external interfaces including FireWire and Thunderbolt, unless disabled through MDM settings as detailed in System Hardening, or in the UEFI/BIOS. |
| Device updates | Configure Windows Update to automatically download and install updates. If the Microsoft Store is enabled, it should be configured to automatically update Microsoft Store apps.
Some devices will allow the UEFI firmware to be updated automatically via Windows Update. Devices that do not implement this will require updates via another mechanism whenever new firmware is released. |
| Event collection | Events such as sign-in information and general audit logs can be found within the AAD and Intune portal. More detailed diagnostic information from the device can be obtained using the DiagnosticLog CSP. |
| Incident response | Windows 10 devices can be wiped remotely by an MDM. In the event that a device is compromised, a full device wipe is recommended – see the NCSC Factory reset guidance for more details on how to achieve this on Windows 10. |
Preparation for deployment
The steps below should be followed to prepare infrastructure for deployment of these devices:
- Procure, deploy and configure network components, including an approved IPsec VPN Gateway.
- Configure Azure Active Directory (AAD) with the appropriate accounts and licences to meet your organisation’s needs. Set up and approve your MDM solution to be authoritative over the directory.
- Configure AAD to automatically enrol connected devices into the chosen MDM solution.
- Configure users and groups according to the principle of least privilege.
- Create MDM profiles for users in accordance with the settings later in this section.
- Deploy an AppLocker rule set using MDM settings following guidance in the Application Whitelisting section. A sample configuration which allows only applications installed by an Administrator to run, is outlined in the AppLocker settings below.
Device provisioning steps
The steps below should be followed to provision each end user device, preparing it for distribution to end users:
- By default, the user who joins the device to AAD and enrols into MDM is placed into the Local Administrators group on that device. As such, users should not be instructed to enrol themselves. All device enrolment should be performed by administrators using administrative accounts. Alternatively, if using a correctly configured zero-touch deployment programme such as Autopilot, users will not be given admin privileges.
- Update the system firmware to the latest version available from the vendor. This will be called either a UEFI or BIOS update. This may not be required if your devices receive firmware updates via Windows Update.
- Configure the system firmware to boot in UEFI mode, enable TPM, Secure Boot and virtualisation extensions. Disable unused hardware interfaces, check the boot order to prioritise internal storage and set a password to prevent changes. Most of these settings will be available on devices that meet the standards set by Microsoft for a highly secure Windows 10 device.
- Deploy your organisation’s standard desktop build using a clean Windows 10 Enterprise image or use a Signature Edition device where re-imaging may not be needed.
- Join the device to AAD and enrol it into your MDM either by:
- Promoting a dedicated provisioning account to become a Device Enrolment Manager. Use this account to join AAD and enrol into your MDM.
- Use the Windows Configuration Designer tool which is part of the Windows Assessment and Deployment Kit (ADK), to create a provisioning package. Apply the provisioning package during the out-of-box experience (OOBE). The first account used to sign in will be added to the list of local administrators.
- Use an MDM-specific enrolment app.
Zero-touch provisioning steps
Windows Autopilot is a collection of technologies used to set up and pre-configure devices directly from OEMs (Original Equipment Manufactures).
Autopilot explicitly requires MDM automatic enrolment, details on how to set this up can be found here, other requirements can be found here.
Organisations can use Autopilot on new or existing devices by:
New devices
- Purchase new devices from OEM or via normal procurement route, ensuring they support the Windows Autopilot programme.
- Claim ownership of devices by uploading the device IDs provided by the OEM to Microsoft Store for Business, Intune or equivalent MDM.
- Configure Autopilot deployment profile and assign to devices, following the example profile below.
- Provide end users with AAD username and password to log into new devices.
- Ship devices directly to end users ensuring they are connected to the internet* when they go through the OOBE for the first time.
Existing devices
- Reset or re-image existing devices
- Run the Windows Autopilot Info PowerShell script to gather the required device IDs.
- Upload the device IDs to Microsoft Store for Business, Intune or equivalent MDM.
- Configure deployment profile and assign to devices. Follow the below example configuration for Autopilot.
- Provide end users with AAD username and password to log into new devices.
- Give devices to end users ensuring they connect to the internet* when they go through the OOBE for the first time.
*Devices must connect to the internet when they go through OOBE. A device with no internet access will not be able to enrol into your organisation’s MDM and apply security configuration.
Recommended configuration profile for Autopilot:
The following options are automatically enabled for devices that are deployed with Autopilot:
- Skip Work or Home usage selection
- Skip OEM registration and OneDrive configuration
- Skip user authentication in OOBE
The table below shows the additional recommended configuration admins should set for Autopilot:
| Windows Autopilot deployment profile | Value(s) |
|---|---|
| Device enrolment – Windows enrolment – Deployment Profiles | Deployment mode: User-Driven |
| Device enrolment – Windows enrolment – Deployment Profiles
Out-of-box experience (OOBE) |
End user license agreement (EULA): Show
Privacy Settings: Show User account type: Standard |
Recommended policies and settings
This section details important security policy settings which are recommended for a Windows 10 MDM deployment. Remember, any guidance points given here are recommendations – they are not mandatory.
Risk owners and administrators should agree a configuration which balances business requirements, usability and the security of the platform. Settings not listed in this section are either not applicable to this mode, not currently available, or should be chosen according to your organisation’s policies and requirements.
Some of the configuration below utilises ADMX-backed CSP polices, you should familiarise yourself with this structure before continuing. To enable these types of polices, read this guide. Some of these settings are specific to Microsoft Intune. When using other MDM solutions, the equivalent setting should be configured. Not that the text you see accompanying a setting may be different to that shown below.
Importable configuration scripts
Organisations using Microsoft Intune can download the below configuration as a zipped JSON file. The configuration can then be imported into Intune using a Microsoft-provided import script.
User Account Hardening
| Device Configuration Profile | Value(s) |
|---|---|
| Custom configuration
CredentialsUI – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/CredentialsUI/DisablePasswordReveal |
Date type: String (XML)
Value: <enabled/> |
| Device Restrictions – General
Cortana |
Block |
| Device restrictions – Cloud and Storage
Settings synchronisation for Microsoft account |
Block |
| Device Restrictions – Password
Password |
As per Authentication Policy |
| Device Restrictions – Password
Maximum minutes of inactivity until screen locks |
As per Authentication Policy |
| Device Restrictions – Password
Simple passwords |
As per Authentication Policy |
| Device restrictions – Windows Spotlight
Windows Spotlight |
Block |
| Device restrictions – Windows Spotlight
Apps Suggestions in Ink Workspace |
Block |
| Device restrictions – General
Ink Workspace |
Disabled on lock screen |
| Device restrictions – General
Manual unenrolment |
Block
Note – This policy setting is not applied if the computer is AAD joined and auto-enrolment is enabled. |
Authentication Policy
Your organisation should have a consistent authentication policy which applies to all users and devices capable of accessing its data. You can use our published password guidance to help inform any password policy.
An administrator should configure the relevant on-device settings in line with your authentication policy.
For further guidance on authentication policies, see the NCSC EUD Authentication guidance.
Intune, along with other MDMs, implement a number of relevant settings as Fine Grained Password Policies that should be configured.
| Password Profile | Value(s) |
|---|---|
| Device Restrictions – Password | Minimum password length
Number of sign-in failures before wiping device Directly Applies To: AAD Users |
| Device Restrictions – Password | Minimum password length
Required password type: Alphanumeric Password complexity: Numbers, lowercase, uppercase and special characters required Number of sign-in failures before wiping device Directly Applies To: Administrators |
| Device Restrictions – Password
Simple passwords |
Block |
Azure Active Directory
A user’s Azure Active Directory password will normally only be used when enrolling against a device for the first time. It is not backed by a second factor or by hardware-backed anti-hammer, even when Credential Guard is deployed. Different requirements can be set for different account types using Fine Grained Password Policies. If the Azure Active Directory password is only used for device enrolment, it needs to be easy to type in but does not need to be memorable.
Windows Hello for Business and Hardware Strengthening
The user should log in to a device or unlock it using Windows Hello for Business. This user credential is tied to the physical device using a PIN or biometric. When run on Windows 10 Certified devices it provides hardware-backed anti-hammer. Windows Hello should only be enabled on devices that use a hardware security device.
Users can choose to set a PIN after they have logged on to the device for the first time. A number of settings can be used to configure the PIN requirements including:
- Use a Trusted Platform Module (TPM)
- Minimum PIN length
- Maximum PIN length
- Lowercase letters in PIN
- Uppercase letters in PIN
- Special characters in PIN
- Use enhanced anti-spoofing, when available
- Allow phone sign-in
Once a PIN is set, if the device has the right sensors, the user can also enrol a biometric to unlock it. The strength of the security of the different types of biometric sensor is difficult to measure. If the risks of enabling biometrics are understood and accepted, biometric authentication can be enabled.
| Device enrolment > Windows enrolment > Windows Hello for Business > Settings |
|---|
| Allow biometric authentication |
The configuration provided in this guidance enables Virtual Secure Mode and Credential Guard on supported devices. Biometrics should not be used unless these features are installed and enabled. Biometrics are enabled by default on Windows 10, so MDM policy should be used to disable biometrics if Virtual Secure Mode and Credential Guard are not being used.
System Hardening
| Device Configuration Profile | Value(s) |
|---|---|
| Device restrictions – Reporting and telemetry
Share usage data |
Security
Note – If using Windows Update for Business this will need to be set to Basic. See Windows 10 feature updates for more details. |
| Device restrictions – General
Device discovery |
Block |
| Device restrictions – General
Add provisioning package |
Block |
| Device restrictions – General
Remove provisioning packages |
Block |
| Device restrictions – Locked Screen Experience
Cortana on locked screen |
Block |
| Device restrictions – Locked Screen Experience
Toast notification on locked screen |
Block |
| Device restrictions – App Store
Trusted app installation |
Allow |
| Device restrictions – App Store
Developer unlock |
Block |
| Device restrictions – App Store
Use private store only |
Allow |
| Device restrictions – Cellular and connectivity
Automatically connect to Wi-Fi hotspots |
Block |
| Custom configuration
ErrorReporting/DisableWindowsErrorReporting – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/ErrorReporting/DisableWindowsErrorReporting |
Date type: String (XML)
Value: <enabled/> |
| Custom configuration
DeviceInstallation/PreventInstallationOfMatchingDeviceIDs – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceIDs |
Date type: String (XML)
Value: <enabled/> PCI\CC_0C0A |
| Custom configuration
DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceInstallation/PreventInstallationOfMatchingDeviceSetupClasses |
Date type: String (XML)
Value: <enabled/> {d48179be-ec20-11d1-b6b8-00c04fa372a7} {7ebefbc0-3200-11d2-b4c2-00a0C9697d07} {c06ff265-ae09-48f0-812c-16753d7cba83} {6bdd1fc1-810f-11d0-bec7-08002be2092f} |
| Custom configuration
DataProtection/AllowDirectMemoryAccess – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DataProtection/AllowDirectMemoryAccess |
Date type: Integer
Value: 0 Not Allowed |
| Custom configuration
NetworkIsolation/EnterpriseProxyServersAreAuthoritative – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseProxyServersAreAuthoritative |
Date type: Integer
Value: 1 |
| Custom configuration
NetworkIsolation/EnterpriseIPRangesAreAuthoritative – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/NetworkIsolation/EnterpriseIPRangesAreAuthoritative |
Date type: Integer
Value: 1 |
| Custom configuration
System/BootStartDriverInitialization – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/System/BootStartDriverInitialization |
Date type: String (XML)
Enabled: Good, Unknown and bad but critical |
| Custom configuration
WindowsLogon/DontDisplayNetworkSelectionUI – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/WindowsLogon/DontDisplayNetworkSelectionUI |
Date type: String (XML)
Value: <enabled/> |
| Custom configuration
Power/AllowStandbyWhenSleepingPluggedIn – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Power/AllowStandbyWhenSleepingPluggedIn |
Date type: String
Value: <disabled/> |
| Custom configuration
Power/RequirePasswordWhenComputerWakesOnBattery – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Power/RequirePasswordWhenComputerWakesOnBattery |
Date type: String (XML)
Value: <enabled/> |
| Custom configuration
Power/RequirePasswordWhenComputerWakesPluggedIn – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Power/RequirePasswordWhenComputerWakesPluggedIn |
Date type: String (XML)
Value: <enabled/> |
| Custom configuration
RemoteAssistance/SolicitedRemoteAssistance – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/RemoteAssistance/SolicitedRemoteAssistance |
Date type: String (XML)
Value: <disabled/> |
| Custom configuration
RemoteProcedureCall/RestrictUnauthenticatedRPCClients – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/RemoteProcedureCall/RestrictUnauthenticatedRPCClients |
Date type: String (XML)
Enabled: Authenticated |
| Custom configuration
Autoplay/DisallowAutoplayForNonVolumeDevices – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/AutoPlay/DisallowAutoplayForNonVolumeDevices |
Date type: String (XML)
Value: <enabled/> |
| Custom configuration
Autoplay/SetDefaultAutoRunBehavior – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Autoplay/SetDefaultAutoRunBehavior |
Date type: String (XML)
Enabled: Do not execute any autorun commands |
| Custom configuration
Autoplay/TurnOffAutoPlay – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Autoplay/TurnOffAutoPlay |
Date type: String (XML)
Enabled: All Drives |
| Custom configuration
RemoteDesktopServices/DoNotAllowDriveRedirection – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/DoNotAllowDriveRedirection |
Date type: String (XML)
Value: <enabled/> |
| Custom configuration
RemoteDesktopServices/PromptForPasswordUponConnection – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/PromptForPasswordUponConnection |
Date type: String (XML)
Value: <enabled/> |
| Custom configuration
RemoteDesktopServices/RequireSecureRPCCommunication – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/RequireSecureRPCCommunication |
Date type: String (XML)
Value: <enabled/> |
| Custom configuration
RemoteDesktopServices/ClientConnectionEncryptionLevel – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/RemoteDesktopServices/ClientConnectionEncryptionLevel |
Date type: String (XML)
Enabled: High |
| Custom configuration
Search/AllowIndexingEncryptedStoresOrItems – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Search/AllowIndexingEncryptedStoresOrItems |
Data type: Integer
Value: 0 Not allowed |
| Custom configuration
WindowsInkWorkspace/AllowWindowsInkWorkspace – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/WindowsInkWorkspace/AllowWindowsInkWorkspace |
Data type: Integer
Value: 1 Enabled but the user cannot access it above the lock screen |
| Custom configuration
DeviceLock/PreventLockScreenSlideShow – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceLock/PreventLockScreenSlideShow |
Date type: String (XML)
Value: <enabled/> |
| Custom configuration
WindowsPowerShell/TurnOnPowerShellScriptBlockLogging – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/WindowsPowerShell/TurnOnPowerShellScriptBlockLogging |
Date type: String (XML)
Value: <enabled/> |
| Custom configuration
DeviceLock/PreventEnablingLockScreenCamera – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/DeviceLock/PreventEnablingLockScreenCamera |
Date type: String (XML)
Value: <enabled/> |
| Custom configuration
MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/ApplyUACRestrictionsToLocalAccountsOnNetworkLogon |
Date type: String (XML)
Value: <enabled/> |
| Custom configuration
MSSecurityGuide/ConfigureSMBV1ClientDriver – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/ConfigureSMBV1ClientDriver |
Date type: String (XML)
Value: Enabled – SMBv1 Driver Disabled
|
| Custom configuration
MSSecurityGuide/ConfigureSMBV1Server – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/ConfigureSMBV1Server |
Date type: String (XML)
Value: <disabled/> |
| Custom configuration
MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/EnableStructuredExceptionHandlingOverwriteProtection |
Date type: String (XML)
Value: <enabled/> |
| Custom configuration
MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/TurnOnWindowsDefenderProtectionAgainstPotentiallyUnwantedApplications |
Date type: String (XML)
Value: <enabled/> |
| Custom configuration
MSSecurityGuide/WDigestAuthentication – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/MSSecurityGuide/WDigestAuthentication |
Date type: String (XML)
Value: <disabled/> |
| Custom configuration
LanmanWorkstation/EnableInsecureGuestLogons – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/LanmanWorkstation/EnableInsecureGuestLogons |
Data type: Integer
Value: 0 Disabled |
| Custom configuration
Games/AllowAdvancedGamingServices – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/Games/AllowAdvancedGamingServices |
Data type: Integer
Value: 0 Not Allowed |
| Custom configuration
ControlPolicyConflict/MDMWinsOverGP – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/ControlPolicyConflict/MDMWinsOverGP |
Data type: Integer
Value: 1 MDM policy overrides Group Policy |
| Custom configuration
SystemServices/ConfigureHomeGroupListenerServiceStartupMode – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureHomeGroupListenerServiceStartupMode |
Data type: Integer
Value: 4 Disabled |
| Custom configuration
SystemServices/ConfigureHomeGroupProviderServiceStartupMode – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureHomeGroupProviderServiceStartupMode |
Data type: Integer
Value: 4 Disabled |
| Custom configuration
SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureXboxAccessoryManagementServiceStartupMode |
Data type: Integer
Value: 4 Disabled |
| Custom configuration
SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureXboxLiveAuthManagerServiceStartupMode |
Data type: Integer
Value: 4 Disabled |
| Custom configuration
SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureXboxLiveGameSaveServiceStartupMode |
Data type: Integer
Value: 4 Disabled |
| Custom configuration
SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureXboxLiveNetworkingServiceStartupMode |
Data type: Integer
Value: 4 Disabled |
| Custom configuration
MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/MSSLegacy/AllowICMPRedirectsToOverrideOSPFGeneratedRoutes |
Date type: String (XML)
Value: <disabled/> |
| Custom configuration
MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/MSSLegacy/AllowTheComputerToIgnoreNetBIOSNameReleaseRequestsExceptFromWINSServers |
Date type: String (XML)
Value: <enabled/> |
| Custom configuration
MSSLegacy/IPSourceRoutingProtectionLevel – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/MSSLegacy/IPSourceRoutingProtectionLevel |
Data type: String (XML)
Value: <enabled/> Highest Protection, source routing is completely disabled |
| Custom configuration
MSSLegacy/IPv6SourceRoutingProtectionLevel – OMA-URI: ./Device/Vendor/MSFT/Policy/Config/MSSLegacy/IPv6SourceRoutingProtectionLevel |
Data type: String (XML)
Value: <enabled/> Highest Protection, source routing is completely disabled |
MDM policy can be used to limit user access to removable media such as USB mass storage devices, if required by organisational policy. The settings can be found in Device restrictions > General > Removable storage
MDM policy can also be used to fully whitelist all devices, or device classes, which are allowed to be installed. In this way you could allow, for example, basic peripherals such as mice, keyboards, monitors and network cards, but refuse the connection and installation of other devices. It is important to whitelist enough classes of device to allow a successful boot on a variety of hardware.
Details on how to enable whitelisting of specific devices can be found on MSDN.
Windows Defender configuration
See below for configuration on Windows Defender suite of protections.
Windows Defender Antivirus configuration
Configure Windows Defender Antivirus to enable cloud-backed protections while limiting its ability to send sensitive data for analysis. Organisations should consider the NCSC Cloud Security Principles when accessing cloud enabled solutions.
| Device Configuration Profile | Value(s) |
|---|---|
| Device Restrictions – Windows Defender Antivirus
Real-time monitoring |
Enabled |
| Device Restrictions – Windows Defender Antivirus
Behaviour monitoring |
Enabled |
| Device Restrictions – Windows Defender Antivirus
Network Inspection System (NIS) |
Enabled |
| Device Restrictions – Windows Defender Antivirus
Scan all downloads |
Enabled |
| Device Restrictions – Windows Defender Antivirus
Scan scripts loaded in Microsoft web browsers |
Enabled |
| Device Restrictions – Windows Defender Antivirus
Scan archive files |
Enabled |
| Device Restrictions – Windows Defender Antivirus
Scan incoming mail messages |
Enabled |
| Device Restrictions – Windows Defender Antivirus
Scan removable drives during a full scan |
Enabled |
| Device Restrictions – Windows Defender Antivirus
Cloud-delivered protection |
Enabled |
| Device Restrictions – Windows Defender Antivirus
File Blocking Level |
High |
| Device Restrictions – Windows Defender Antivirus
Time extension for file scanning by the cloud |
50 |
| Device Restrictions – Windows Defender Antivirus
Prompt users before sample submission |
Send all data without prompting |
| Device Restrictions – Windows Defender Antivirus
Submit samples consent |
Send safe samples automatically |
Windows Defender SmartScreen configuration
Windows Defender SmartScreen can provide organisations with protective measures if a user visits a potentially harmful website or downloads a potentially malicious file, for more information see Microsoft’s page on SmartScreen.
See below for a set of recommended settings:
| Device Configuration Profile | Value(s) |
|---|---|
| Device Restrictions – Windows Defender SmartScreen
SmartScreen for Microsoft Edge |
Require |
| Device Restrictions – Windows Defender SmartScreen
Malicious site access |
Block |
| Device Restrictions – Windows Defender SmartScreen
Unverified file download |
Block |
| Endpoint protection – Windows Defender SmartScreen
SmartScreen for apps and files |
Enable |
| Endpoint protection – Windows Defender SmartScreen
Unverified files execution |
Block |
Windows Defender Exploit Guard configuration
Windows 10 1709 introduced Windows Defender Exploit Guard, which is Microsoft’s successor to EMET. Microsoft has published a comparison between EMET and Exploit Guard.
Some of Windows Defender Exploit Guard configuration is done with an XML file, this file is then uploaded to Intune or an equivalent MDM. The XML file can be generated using the Windows Defender Security Center application, exported from EMET or via PowerShell
As Exploit Guard can cause compatibility issues with some applications, Microsoft recommends that Exploit Guard policies are thoroughly tested before they are enforced across an organisation. Audit mode can be used to support this.
| Device Configuration Profile | Value(s) |
|---|---|
| Attack Surface Reduction rules | |
| Endpoint protection – Windows Defender Exploit Guard – Attack Surface Reduction
Flag credential stealing from the Windows local security authority subsystem |
Enable |
| Rules to prevent Office Macro threats | |
| Endpoint protection – Windows Defender Exploit Guard – Attack Surface Reduction
Office apps injecting into other processes (no exceptions) |
Block |
| Endpoint protection – Windows Defender Exploit Guard – Attack Surface Reduction
Office apps/macros creating executable content |
Block |
| Endpoint protection – Windows Defender Exploit Guard – Attack Surface Reduction
Office apps launching child processes |
Block |
| Endpoint protection – Windows Defender Exploit Guard – Attack Surface Reduction
Win32 imports from Office macro code |
Block |
| Rules to prevent script threats | |
| Endpoint protection – Windows Defender Exploit Guard – Attack Surface Reduction
Obfuscated js/vbs/ps/macro code |
Block |
| Endpoint protection – Windows Defender Exploit Guard – Attack Surface Reduction
js/vbs executing payload downloaded from Internet (no exceptions) |
Block |
| Endpoint protection – Windows Defender Exploit Guard – Attack Surface Reduction
Process creation from PSExec and WMI commands* |
Block |
| Endpoint protection – Windows Defender Exploit Guard – Attack Surface Reduction
Untrusted and unsigned processes that run from USB |
Block |
| Rules to prevent email threats | |
| Endpoint protection – Windows Defender Exploit Guard – Attack Surface Reduction
Execution of executable content (exe, dll, ps, js, vbs, etc.) dropped from email (webmail/mail client) (no exceptions) |
Block |
| Rules to protect against ransomware | |
| Endpoint protection – Windows Defender Exploit Guard – Attack Surface Reduction
Advanced ransomware protection |
Enable |
| Controlled folder access | |
| Endpoint protection – Windows Defender Exploit Guard – Controlled folder access
Folder protection** |
Enable |
| Network filtering | |
| Endpoint protection – Windows Defender Exploit Guard – Network filtering
Network protection |
Enable |
| Exploit protection | |
| Endpoint protection – Windows Defender Exploit Guard – Exploit protection
Upload XML*** |
|
| Endpoint protection – Windows Defender Exploit Guard – Exploit protection
User editing of exploit protection interface |
Block |
* Only use if you are explicitly using Intune or another MDM. Configuration manager utilises WMI calls for device configuration
** If files stored outside of user and system directories should be protected with Controlled Folder access, these should be added to Exploit Guard with Configuration service providers.
*** Use either Windows Defender Security Center application, EMET or PowerShell to generate an importable XML document that is representative of your system. Read this page from Microsoft for a detailed look on how to generate this file.
Microsoft provide a technical document which shows a table of the various attack surface reduction rules, and what restrictions they impose.
Windows Defender Application Control configuration
| Device Configuration Profile | Value(s) |
|---|---|
| Endpoint protection – Windows Defender Application Control
Application control code integrity policies |
Enforce |
| Endpoint protection – Windows Defender Application Control
Trust apps with good reputation |
Enable |
Only Windows components, Microsoft store apps, and reputable applications as defined by the Intelligent Security Graph will be allowed to run.
Windows Defender Firewall configuration
| Device Configuration Profile | Value(s) |
|---|---|
| Global settings | |
| Custom configuration
Global/DisableStatefulFtp – OMA-URI: ./Vendor/MSFT/Firewall/MdmStore/Global/DisableStatefulFtp |
Boolean: True (Block Stateful FTP) |
| Domain (workplace) network | |
| Custom configuration
DomainProfile/EnableFirewall – OMA-URI: ./Vendor/MSFT/Firewall/MdmStore/DomainProfile/EnableFirewall |
Boolean: True (Enable the Domain Firewall) |
| Custom configuration
DomainProfile/DefaultInboundAction – OMA-URI: ./Vendor/MSFT/Firewall/MdmStore/DomainProfile/DefaultInboundAction |
Integer: 1 (Block inbound connections) |
| Custom configuration
DomainProfile/AllowLocalPolicyMerge – OMA-URI: ./Vendor/MSFT/Firewall/MdmStore/DomainProfile/AllowLocalPolicyMerge |
Boolean: False (Ignore local policy rules) |
| Custom configuration
DomainProfile/DisableInboundNotifications – OMA-URI: ./Vendor/MSFT/Firewall/MdmStore/DomainProfile/DisableInboundNotifications |
Boolean: True (Disable inbound notifications) |
| Private (discoverable) network | |
| Custom configuration
PrivateProfile/EnableFirewall – OMA-URI: ./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/EnableFirewall |
Boolean: True (Enable the Private Firewall) |
| Custom configuration
DomainProfile/DefaultInboundAction – OMA-URI: ./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DefaultInboundAction |
Integer: 1 (Block inbound connections) |
| Custom configuration
PrivateProfile/AllowLocalPolicyMerge – OMA-URI: ./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/AllowLocalPolicyMerge |
Boolean: False (Ignore local policy rules) |
| Custom configuration
PrivateProfile/DisableInboundNotifications – OMA-URI: ./Vendor/MSFT/Firewall/MdmStore/PrivateProfile/DisableInboundNotifications |
Boolean: True (Disable inbound notifications) |
| Public (non-discoverable) network | |
| Custom configuration
PublicProfile/EnableFirewall – OMA-URI: ./Vendor/MSFT/Firewall/MdmStore/PublicProfile/EnableFirewall |
Boolean: True (Enable the Public Firewall) |
| Custom configuration
PublicProfile/DefaultInboundAction – OMA-URI: ./Vendor/MSFT/Firewall/MdmStore/PublicProfile/DefaultInboundAction |
Integer: 1 (Block inbound connections) |
| Custom configuration
PublicProfile/AllowLocalPolicyMerge – OMA-URI: ./Vendor/MSFT/Firewall/MdmStore/PublicProfile/AllowLocalPolicyMerge |
Boolean: False (Ignore local policy rules) |
| Custom configuration
PublicProfile/DisableInboundNotifications – OMA-URI: ./Vendor/MSFT/Firewall/MdmStore/PublicProfile/DisableInboundNotifications |
Boolean: True (Disable inbound notifications) |
AppLocker configuration
This example set of AppLocker rules implements the principle outlined in Enterprise Considerations below. It can be modified to allow the user to install and run apps from either an enterprise software center or the Microsoft Store.
All the below configurations require an exported AppLocker XML profile to be uploaded into Intune.
Scripting languages such as Visual Basic Scripting should be disabled unless they are specifically needed. The Australian Cyber Security Center describe how to secure Powershell in the enterprise if it is to be used.
| Device Configuration Profile | Value(s) |
|---|---|
| EXE Enforcement Mode | Enabled |
|
Custom configuration OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/GROUPNAME/EXE/Policy
Data type: String (XML file) |
Allow Everyone: All files located in the Windows Defender\Platform folder –
%OSDrive%\ProgramData\Microsoft\Windows Defender\Platform\* Allow Everyone: All files located in the Program Files folder – with exceptions Exception: (Path) %PROGRAMFILES%\Windows Kits\*\Debuggers\* Allow Everyone: All files located in the Windows folder – with exceptions Exception: (Path) %SYSTEM32%\com\dmp\* Exception: (Path) %SYSTEM32%\FxsTmp\* Exception: (Path) %SYSTEM32%\Spool\drivers\color\* Exception: (Path) %SYSTEM32%\Spool\PRINTERS\* Exception: (Path) %SYSTEM32%\Spool\SERVERS\* Exception: (Path) %SYSTEM32%\Tasks\* Exception: (Path) %SYSTEM32%\microsoft\crypto\rsa\machinekeys\* Exception: (Path) %WINDIR%\tasks\* Exception: (Path) %WINDIR%\temp\* Exception: (Path) %WINDIR%\tracing\* Exception: (Path) %WINDIR%\registration\crmlog\* Exception: (Path) %WINDIR%\servicing\packages\* Exception: (Path) %WINDIR%\servicing\sessions\* Exception: (Publisher) %SYSTEM32%\WMIC.exe,* Exception: (Publisher) %SYSTEM32%\cmstp.exe,* Exception: (Publisher) %SYSTEM32%\mshta.exe,* Exception: (Publisher) %SYSTEM32%\PresentationHost.exe,* Exception: (Publisher) %SYSTEM32%\windbg.exe,* Exception: (Publisher) %SYSTEM32%\cipher.exe,* Exception: (Publisher) %Microsoft.NET%\Framework64\*\IEExec.exe Exception: (Publisher) %Microsoft.NET%\Framework64\*\InstallUtil.exe Exception: (Publisher) %Microsoft.NET%\Framework\*\regsvcs.exe Exception: (Publisher) %Microsoft.NET%\Framework\*\msbuild.exe Exception: (Publisher) %Microsoft.NET%\Framework\*\regasm.exe Allow Administrators: All files |
| Windows Installer Enforcement Mode | Enforced |
| Custom configuration
OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/GROUPNAME/MSI/Policy Data type: String (XML file) |
Allow Administrators: All Windows Installer files
Allow Everyone: %WINDIR%\Installer\* |
| Script Enforcement Mode | Enforced |
| Custom configuration
OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/GROUPNAME/Script/Policy Data type: String (XML file) |
Allow Everyone: All Scripts located in the Program Files folder
Allow Everyone: All Scripts located in the Windows folder – with exceptions Exception: (Path) %SYSTEM32%\com\dmp\* Exception: (Path) %SYSTEM32%\FxsTmp\* Exception: (Path) %SYSTEM32%\Spool\drivers\color\* Exception: (Path) %SYSTEM32%\Spool\PRINTERS\* Exception: (Path) %SYSTEM32%\Spool\SERVERS\* Exception: (Path) %SYSTEM32%\Tasks\* Exception: (Path) %WINDIR%\registration\crmlog\* Exception: (Path) %WINDIR%\tasks\* Exception: (Path) %WINDIR%\temp\* Exception: (Path) %WINDIR%\tracing\* Exception: (Path) %WINDIR%\servicing\packages\* Exception: (Path) %WINDIR%\servicing\sessions\* Exception: (Path) %SYSTEM32%\microsoft\crypto\rsa\machinekeys\* Allow Administrators: All scripts |
| DLL Enforcement Mode | Enforced |
| Custom configuration
OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/GROUPNAME/DLL/Policy Data type: String (XML file) |
Allow Everyone: All DLLs located in the Windows Defender\Platform folder –
%OSDrive%\ProgramData\Microsoft\Windows Defender\Platform\* Allow Everyone: All DLLs located in the Program Files folder Allow Everyone: All DLLs located in the Windows folder – with exceptions Exception: (Path) %SYSTEM32%\com\dmp\* Exception: (Path) %SYSTEM32%\FxsTmp\* Exception: (Path) %SYSTEM32%\Spool\drivers\color\* Exception: (Path) %SYSTEM32%\Spool\PRINTERS\* Exception: (Path) %SYSTEM32%\Spool\SERVERS\* Exception: (Path) %SYSTEM32%\Tasks\* Exception: (Path) %SYSTEM32%\microsoft\crypto\rsa\machinekeys\* Exception: (Path) %WINDIR%\registration\crmlog\* Exception: (Path) %WINDIR%\tasks\* Exception: (Path) %WINDIR%\temp\* Exception: (Path) %WINDIR%\tracing\* Exception: (Path) %WINDIR%\servicing\packages\* Exception: (Path) %WINDIR%\servicing\sessions\* Allow Administrators: All DLLs |
| Packaged app Enforcement Mode | Enforced |
| Custom configuration
OMA-URI: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/GROUPNAME/StoreApps/Policy Data type: String (XML file) |
Allow Everyone: All signed packaged apps
Exception: (Publisher) Microsoft.Getstarted Exception: (Publisher) Microsoft.MicrosoftOfficeHub Exception: (Publisher) Microsoft.SkypeApp Exception: (Publisher) Microsoft.WindowsFeedback |
BitLocker configuration
The following settings should be configured to use full volume encryption in TPM and PIN mode.
| Device Configuration Profile | Value(s) |
|---|---|
| Windows settings | |
| Endpoint protection – Windows Encryption
Encrypt devices |
Require |
| BitLocker base settings | |
| Endpoint protection – Windows Encryption
Configure encryption methods |
Enable*
Encryption for operating system drives: XTS-AES 256-bit Encryption for fixed data-drives: XTS-AES 256-bit Encryption for removable data-drives: AES-CBC 256-bit |
| BitLocker OS drive settings | |
| Endpoint protection – Windows Encryption
Require additional authentication at startup |
Require
Block BitLocker on devices without a compatible TPM chip: Block Compatible TPM startup: Do not allow TPM Compatible TPM startup PIN: Require startup PIN with TPM Compatible TPM startup key: Do not allow startup key with TPM Compatible TPM startup key and PIN: Do not allow startup key and PIN with TPM |
| OS drive recovery | Enable |
| User creation of recovery password | Allow 48-digit recovery password |
| User creation of recovery key | Allow 256-bit recovery key |
| Recovery options in the BitLocker setup wizard | Block |
| Save BitLocker recovery information in Azure Active Directory | Enable |
| BitLocker recovery Information stored to Azure Active Directory | Backup recovery passwords only |
| Store recovery information in Azure Active Directory before enabling BitLocker | Require |
| BitLocker removable data-drive settings | |
| Write access to removable data-drive not protected by BitLocker | Block |
| Write access to devices configured in another organization | Block |
*Devices that support automatic encryption may use a different encryption method for BitLocker such as XTS-AES 128-bit.
The BitLocker PIN should be in line with your organisation’s password policy. The NCSC has published password guidance to inform this. Please contact us if you need help devising an appropriate password policy.
Users can change the PIN after they have logged on to the device for the first time. A number of MDM policies can be used to configure the PIN requirements including:
| Device configuration > Endpoint protection > Windows Encryption |
|---|
| Minimum PIN Length > Minimum characters |
VPN configuration
You should deploy VPN infrastructure configured either to support the PRIME or Foundation profiles as detailed in the NCSC’s IPsec Guidance. Customisation guides are available for the Windows 10 Built-In VPN Client. Contact NCSC enquiries to obtain a copy.
PRIME is the recommended IPsec cipher suite profile for protecting information, and it requires a PKI infrastructure configured to support Elliptic Curve cryptography. A non-authoritative summary is provided in the table below:
| IKEv2 | Selection |
|---|---|
| Encryption | AES with 128-bit keys in GCM-128 mode |
| Pseudo-Random Function | HMAC-SHA-256 (RFC4868) |
| Diffie-Hellman Group | Group 19 256-bit random ECP (RFC5903) |
| Authentication | X.509 certificates with ECDSA signatures (256-bit) on the P-256 curve and SHA-256 (RFC4945 and RFC4055) |
| ESP | Selection |
| Encryption | AES-128 in GCM-128 mode |
If you are using a third-party VPN client, you should prefer one that has been built on top of the Windows 10 UWP VPN plug-in platform. These will likely integrate better into the platform and be more reliable, as the Windows platform is regularly updated.
Enterprise Considerations
The following points are in addition to the common enterprise considerations, and contain specific issues for Windows 10 MDM deployments.
Windows 10 feature updates
The Windows 10 Semi-Annual Channel receives feature updates twice-per-year. These feature updates will be serviced for 18 months from the date of release and will replace Current Branch (CB) and Current Branch for Business (CBB) concepts.
You should deploy feature updates immediately to a targeted deployment in order to validate that apps, devices and infrastructure work well with the new release. Once validation is complete, begin deploying broadly. You can defer feature updates for up to 365 days from release. To help with this approach organisations using Azure Active Directory may deploy Insider builds to a select group of devices via the Windows Insider Program for Business.
Monthly Quality Updates which include security, critical and driver updates should be downloaded and installed automatically.
If your organisation is using Windows Update for Business you will need to set the Telemetry level from 0 (Security) to 1 (Basic) for update policies to be honoured, as no Windows update information is gathered when set to 0. For more information on Windows telemetry settings see this Microsoft technical document and for more information on configuring Windows Update for Business see this Microsoft document.
When choosing third party products that alter the behaviour of the platform (such as VPN clients, anti-malware tools, management agents and auditing tools), it is important to consider that these may also need to be updated to remain compatible with newer versions of Windows 10. Products are more likely to be supported on future versions of Windows 10 if they use legitimate API’s such as the Anti-Malware Scan Interface and the Windows Runtime API for VPN’s.
This guidance may be updated in the future to cover significant new features in Windows 10 if they can improve the usability of the platform, while best addressing each of the security recommendations. The Windows 10 Long-Term Servicing Channel is designed for devices that never change, such as medical equipment and components in industrial control systems. It should not be deployed on End User Devices that are used to browse the web or use enterprise productivity software.
Device selection
Windows 10 can run on a wide variety of device types with a wide variety of internal hardware. However, many of the newer Windows security mitigations require the device to have specific hardware components and for these to be turned on.
Even if you are not deploying these mitigations at the moment, you should seek to buy a Windows Hardware Compatibility Program device that support TPM 2.0, UEFI v2.3.1 or higher and have a processor with virtualisation extensions.
The NCSC recommends devices that support InstantGo. Devices that are InstantGo certified will not have ports that allow DMA access and will have TPM 2.0 or later. InstantGo will maintain network connectivity when your screen is off in standby mode and will automatically have device encryption enabled.
If you are using Windows Hello with biometric authentication, you will need to buy special hardware, see Microsoft’s blog for more information.
Signature Edition devices can be used if the required hardware is available. If using these devices, you may not need to reinstall Windows.
Device firmware
You should ensure that devices are configured to boot from UEFI with Secure Boot enabled when initially installing Windows 10 – even if you choose to not configure some of the features that require it. This will make future version upgrades and adoption of those features easier.
The Windows 10 Secure Boot process (on supported and correctly configured hardware) alerts a user when an attempt to subvert the security controls has taken place. It is important that users know how to identify and respond to this alert.
Firmware updates can be automated via Windows Update and you should prefer devices that support this. If your OEM (original equipment manufacturer) is not choosing to use that mechanism, you will need to periodically check with them to see what the most recent version of the firmware is and how to deploy it across an enterprise.
Application whitelisting
When configuring additional application whitelists for a Windows device, it is important that the following conditions are considered:
- Users should not be allowed to run programs from areas where they are permitted to write files.
- Care should be taken to ensure that application updates do not conflict with whitelisting rules.
- Applications should be reviewed before being approved enterprise-wide, to ensure they don’t undermine application whitelisting. This is especially important for scripting languages which have their own execution environment.
The suggested AppLocker configuration in this guidance will implement those rules if using software that adheres to the requirements of Microsoft’s Desktop App Certification Program. If the rules do need to be customised, follow Microsoft’s Design Guide to minimise operational impact.
Universal applications
The configuration given above prevents users from accessing the public Microsoft Store to install applications, but an organisation can still host its own store to distribute in-house applications to their employees if required. This can be implemented either using Microsoft Store for Business in the cloud, or via a Company Store app deployed to devices.
If the Microsoft Store is enabled, users should explicitly use their corporate Microsoft ID to sign into the Store app rather than associating their work device with their personal Microsoft ID. AppLocker can be configured to only allow installation of apps that are on an enterprise-configured “allow” list. The Microsoft Store can be configured to automatically update any installed Universal applications. The same mechanism can also be used to remove Universal Apps that come with Windows – ones that the user is not allowed to run will be disallowed and removed from the Start menu.
Desktop applications
Enterprise software that handles data downloaded from the Internet needs additional protections.
Application sandboxing and content rendering controls should be considered essential. For applications such as Microsoft Office, or Adobe Acrobat, the use of their enterprise security controls should be considered. These security controls aim to help protect the end user when processing these potentially malicious files.
As well as providing a trusted platform to run enterprise web apps, modern web browsers have to process a wide variety of rich content from the Internet – some of which must be considered untrustworthy. You should consider the security controls available when choosing a web browser. If choosing a Microsoft browser, Edge should be preferred, with Internet Explorer only being used for specific website compatibility. If it is feasible, remove Internet Explorer from the installed image.
The update mechanisms built into Windows can be used to deploy and update Microsoft products but cannot keep third party products up to date. Where available, the auto-update mechanism built into third party products should be use to install updates – where this is not available it will be necessary to deploy updates using an enterprise system management service.
Cloud integration
Windows 10 devices do not need to be associated with a Microsoft ID to operate as required within an enterprise. Users should not enable personal, non-enterprise Microsoft ID (Live ID) accounts on the device, as this may allow data to leak through Microsoft cloud services backup and application storage.
However, organisations wishing to use cloud based services such as OneDrive can use the NCSC Cloud Security Guidance to help them understand both the benefits and risks of using online services.