The Modern Workplace baseline is actively developed and updated on regular basis. And includes many best practices and optimizations.
Any changes required to the baseline should never be done manually, as this will be overwritten by automation. Always contact Prof-IT for required changes.
Optional Platform Settings
- Rename Intune managed Windows devices to a standarized format
- Devices can be renamed to customercode + UPN + Random Chars
- Disabled by default
- Defender for Endpoint Vulnerability user notifications
- Turned on by default
Conditional Access
- Microsoft MFA should be used, users are required to enroll including several password-reset options.
- By default, browser access to Microsoft 365 resources is only allowed with phish-resistant MFA
- This includes YubiKeys, Intune compliant or app protection devices
- Security Keys are supported as well
- Locally installed application such as Teams and Outlook, can only sign-in from Intune managed devices
- This ensures no company data is synced to unprotected computers
- All data is stored on encrypted devices
- Phish-Resistant solution
- Exclusions can be set based on Security Groups described in this post Prof-IT Baseline Security Groups – Prof-IT Services
Configure MFA for Office 365 Using Microsoft Authenticator – Prof-IT Services
Windows Hello For Business
Users are required to configure WHFB when they first sign in. It’s important to instruct the user on how to use it. Users need to configure a PIN, and optionally Fingerprint or Camera sign-in.
MFA sign in is enabled by default and requires users to sign in using two factors of PIN, Fingerprint, Camera, or connected Bluetooth phone. Do not forget to instruct the user on this, as it can create confusion.
Exclusions can be set per device using Security Groups as described in this post Prof-IT Baseline Security Groups – Prof-IT Services
Mobile Phone App Protection Policies
App Protection Policies secures Microsoft applications on mobile devices without enrollment in Intune, increasing user-experience and security.
Should a user want to use native iOS or Android applications, full Intune enrollment is required.
- Authentication is applied to Microsoft apps, based on Pin code or Face/Finger recognition
- Encryption is applied to Microsoft apps, and iOS and Android backups are disabled
- Data storage is limited to OneDrive
- Defender for Endpoint needs to be installed, allowing vulnerability managament
- Minimum OS Version is enforced, ensuring no vulnerable mobile devices access the environment
In some cases, older phones that are unable to update to a latest OS version, will have to be replaced. This is highly recommended as often public remote exploits are available.
Windows Firewall & Defender Exclusions
Normally, anyone with admin rights on a device can create Firewall and Defender exclusions, resulting in malware setting these before download a payload. Due to this, local merge has been disabled. Any required exclusions should be configured in Intune.
- No Exclusions are set by default.
- All inbound connections are blocked.
Windows Update Settings
- Updates are automatically approved with a 7 day delay to prevent bad updates to be installed.
- Updates start installing at 14:00
- The user is prompted to reboot regularly, a deadline is set at 7 days after which the computer will auto-reboot
Edge Update Settings
Due to the higher risk and impact of vulnerabilities in Edge, Update policies are configured stricter.
- Edge updates are checked and install every 2 hours
- The user is prompted to restart Edge regularly, a deadline is set at 2 days after which Edge well auto-reset
Windows Security, Tweaks & Optimizations
Several tweaks and optimizations are applied by default to all users.
- Edge auto sign in
- Edge Add and News blocker
- Edge Search Engine set to Google
- OneDrive auto sign in
- OneDrive auto known folder move
- Azure Virtual Desktop Auto Subscribe
- Local Admin rights strip
- Bitlocker auto encryption
- Attack Surface Reduction Rules
- Defender SmartScreen
- Protected Folders
- Network Protection
- Device lock settings
- Time client settings
- Other security settings and tweaks
Windows AppLocker
AppLocker limits locations where executables, scripts and installers will be allowed to launch from. This is to further mitigate possible threats. Details about rules will not be made publicly available.
Application Deployment
Applications can be installed leveraging Chocolatey if there is a community package available. Client specific business apps can be deployed leveraging MSIX Packaging.
Prof-IT can handle the packaging process. Please contact [email protected].