Security guidance for organizations on the secure configuration of Windows 10.

While this guide does not apply to any specific version of Windows, it was last tested on Windows 10 2004 Enterprise Edition, which has more features available than some other versions of Windows 10.

There are a number of configuration options which you can use to secure this platform within your organization. However, we specifically recommend you implement technical and procedural controls relating to the following areas.

• Decide which Windows 10 devices your organization will use:

• Devices with hardware requirements to enable features such as Virtualization-Based Security and full disk encryption are preferred.

• Windows 10 devices typically receive software updates multiple times a year, with major updates twice a year. We recommend keeping devices as up to date as your organization allows. Microsoft’s Windows lifecycle fact sheet can help you plan upgrades to keep your organization using supported versions.

• Use one of the recommended network architectures to enable remote access to enterprise services.

• Use a Mobile Device Management service to configure, monitor and enforce technical controls on your Windows 10 devices. Enable any logging and monitoring features.

• If you are moving from on-premises only to include cloud, a hybrid network deployment is recommended initially. This can be done using Azure Connect. Some help on hybrid architecture can be found on the Microsoft website.

• Use Windows Autopilot to enroll and provision devices via zero touch enrollment with a trusted Windows 10 base image. Provision non-administrative accounts during setup, removing the need for local admin accounts.

• Configure Windows Defender to help protect against malicious software.If you wish to use a 3rd party Antivirus, we’d recommend one that uses cloud detection and hooks into the Anti-Malware Scan Interface (AMSI).

• Cameras are enabled to allow for Windows Hello and video conferencing. However, this may not be appropriate for your specific deployment environment - in which case these features should be disabled.

• Disable Microsoft Office macros, if this is not possible then only allow macros for specific apps or users where absolutely required. See macro security for Microsoft Office for further guidance.

Once you have chosen your MDM service, architecture and approach to applications, you should then develop a device configuration profile, which can be used to enforce your technical controls.

You should include policies which cover the following:

• The use of biometrics, as well as passcodes and authentication using Windows Hello for Business.

• For devices without a TPM, we advise using a modern authentication standard.

• Configuration of BitLocker encryption settings to prevent data extraction using physical attacks. Using a TPM with PIN and Full Disk Encryption is recommended.

• External interface protection, including wired and wireless peripherals. Use Direct Memory Access protections, such as ensuring new Direct Memory Access capable devices cannot be enumerated when the device is locked.

• Automatic updates to your operating system and applications, along with firmware and drivers where applicable. We recommend configuring Windows Update for Business to enable this.

• The built-in Always on, IKEv2 virtual private network (VPN) (if a VPN is required), along with the use of hardware-backed storage for VPN credentials, through Windows Hello for Business, or the use of Windows Key Attestation.

• We recommend configuring the Windows 10 Built-In VPN Client configured as per customisation guide, available for public sector organizations by contacting BCSF enquiries (this archive also includes the BCSF Captive Portal Helper app for always-on VPNs).

• If using a 3rd party VPN, configure in line with the BCSF’s IPsec Guidance or TLS Guidance and following our platform independent guidance on VPNs.

• AppLocker to help defend against malware and ransomware - a recommended sample configuration is provided in the configuration pack. Additionally, you should include policies that manage third-party apps for work use from an enterprise app catalogue, delivered via MDM, through a private store.

• The security of Cloud accounts on users’ devices, by using conditional access to control access to the sensitive features and services that are required by your organization.

• Removal of Internet Explorer. However, if you want to utilise Windows Defender Application Guard, Internet Explorer is a requirement.

• Configuration of Windows Defender Firewall to help reduce unwanted connections on Private/Public networks. By default, block outbound traffic on these networks, adding rules to allow specific exceptions for the services and protocols your organization requires.