GPO’s For Enterprise Windows 10 Roll Out

There is a big list by Microsoft I went through – https://technet.microsoft.com/itpro/windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services#BKMK_WiFiSense , Microsoft also provides a DISA STIG Baseline ( here )  however I have gone a bit further on security

Computer Configuration – Administrative Templates – Windows Components – Data Collection and Preview Builds

Disable access to pre-release features – Disabled

Configure telemetry to level 0 – Enterprise Only

Do not show feedback notifications – Enabled

Toggle user control over Insider builds – Disabled

 

Computer Configuration – Administrative Templates – System – Log on

                Show first sign-in animation – Disable

                Turn on convenience PIN sign-in – Diable

Turn off picture password sign-in -Enable

 

Computer Configuration – Administrative Templates – Windows Components – Search –

Allow Cortana – Disabled

 

Computer Configuration – Administrative Templates – Windows Components – Cloud Content

                Do Not Show Windows Tips – Enabled

                Turn off Microsoft Consumer Experiences – Enabled

 

Computer Configuration – Administrative Templates – Control Panel

                Do not display the lock screen – Enabled

 

Computer Configuration – Windows Settings – Security Settings – Local Policies – Security Options     

                Accounts: Block Microsoft Accounts – Enabled From Longon and Adding

 

Computer Configuration\Administrative Templates\Network\WLAN Service\WLAN Settings\

Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services – Disabled 

 

Computer Configuration\ Administrative Templates\ Control Panel\ Regional and Language Options\ Allow Input Personalization and set to Disabled.

We also collect your typed and handwritten words to improve character recognition and provide you with a personalized user dictionary and text completion suggestions. Some of this data is stored on your device and some is sent to Microsoft to help improve these services.

Is it possible that any collected words may accidentally include patient information?

 

Computer Configuration > Administrative Templates > Windows Components > OneDrive > Prevent the usage of OneDrive for file storage – Enabled

 

Computer Configuration > Administrative Templates > Windows Components > Search> Don’t search the web or display web results in Search – Enabled

 

Computer Configuration > Administrative Templates > Windows Components > Search> Don’t search the web or display web results in Search over metered connections– Enabled

Why might you want to disable web search?  It is a good idea if you don’t want your local search queries sent to Bing.

Computer Configuration> Administrative Templates> System> User Profiles> Turn off the advertising ID

Turn off the advertising ID to disable targeted ads –  Enabled

Computer Configuration > Administrative Templates > Windows Components > Store >Disable all apps from Windows Store.
You can turn off the ability to launch apps from the Windows Store that were preinstalled or downloaded. This will also turn off automatic app updates, and the Windows Store will be disabled. On Windows Server 2016, this will block Windows Store calls from Universal Windows Apps.

VN:F [1.9.22_1171]
Rating: 0.0/10 (0 votes cast)
VN:F [1.9.22_1171]
Rating: 0 (from 0 votes)

Tags: enterprise, group policy, rollout, Windows 10

Trackback from your site.