Join Pete Zerger for an in-depth discussion in this video Policy-based management options, part of Microsoft Cybersecurity Stack: Securing Windows 10 in the Enterprise.
- [Presenter] Now we're going to talk about policy-based configuration with Microsoft tools aimed at helping you centrally manage and secure Windows 10 for your business users. And I'm not just going to talk about the tools and explain your modern policy-based management options, but give you some time saving tips that will help you improve security and reduce your effort. Your native options are Active Directory Group Policy, which feels like it's been around forever, and Micrsoft Intune. We'll talk briefly about a hybrid strategy with Intune and System Centered Configuration Manager called Co-management.
But this topic here is really important to your future management strategy if you're an SCCM customer. PowerShell is a great tool and we can use PowerShell to administer multiple Windows 10 endpoints, but this should be to supplement and bridge gaps in your enterprise tools or tackle ad hoc admin tasks. Active Directory Group Policy is a hierarchical infrastructure containing thousands of options that allow us to implement specific configurations for our users and computers, including security and network policies at the machine level.
We can create collections of user and computer settings and group policy objects, or GPOs, which will administer with a group policy management console, or GPMC. There are over 3,000 Windows 10 Group Policy settings, which doesn't include the over 1,800 Internet Explorer 11 settings. And with each release of Windows 10, like Windows 1803, gets its own updated Group Policy template with expanded Group Policy configuration options.
Every time a new Windows build is released, you need to download and install these additions. Just do an internet search for Windows 10 1803 group policy templates, for example, and it will generally be the first result in the list. What's a security baseline? In short, it's security best practices you can download and import. Everyone should download the Security Baseline for Windows 10 for the latest build, which contains Microsoft's recommended Security Baseline settings.
Just search for Security Baseline for Windows 10 and look for the latest build number. Inside the download you'll find pre-configured GPOs you can import, a GPO report with the full list of settings, a group policy template and ADMX file with additional security settings you can apply, and WMI filters that enable you to target GPOs to Windows 10 specifically. Windows 10 Security Baselines are a quick win for security. And like GPO templates it's another item that you need to download.
Search for that security baseline for Windows 10 and get your latest version and find the one with the latest build number for sure. Configuration service providers are really the foundation of Intune policy-based configurations. And CSPs are the future. Intune is a heavy investment area for Microsoft and you'll find more and more overlap with Group Policy as time goes on. So plan your transition to a modern management approach with tools like Intune and Autopilot.
You'll find more than 50 CSPs in Intune with hundreds of settings. I'll provide a list CSPs supported on Windows 10 Enterprise with links detailing configuration guidance in the course download. If we're using Group Policy and Intune, what about conflicts? Which one wins? The short answer is it depends. The winner depends on a couple of factors. For Windows 10 1709 and earlier, the GPO takes precedence.
In Windows 10 1803 and beyond, it depends on the value of ControlPolicyConflict. That means you can decide whether GPO or CSP wins in a conflict. Originally CSPs were used to manage Windows mobile devices. Then the Windows 10 platform and the management approach for both desktop and mobile devices converged, taking advantage of the same CSPs to configure and manage all devices running Windows 10. On a side note, it is possible to ingest a custom ADMX, a Group Policy template, through the policy CSP channel.
We could take a lengthy diversion here, but instead I'll give you a link to an example of this with the Google Chrome custom GPO in the proxy and browser module later in this course. All CSPs in Windows 10 are documented in the configuration service provider reference. I wanted to mention System Center Configuration Manager, or SCCM, briefly. There are some security-related management features, like some integration to help with BitLocker drive encryption management, Windows Defender Antivirus management, and MDM functionality.
But what I really want to talk to you about is Co-management. Co-management enables you to concurrently manage Windows 10 devices by using both Configuration Manager and Intune. It's a solution that provides a bridge from traditional to modern management and gives you a path to make the transition using a phased approach. Your main potential blocker here is if you already have hybrid MDM in place, in which case you'll need to start migrating to Intune standalone. But if you have SCCM and Intune you can enable co-management in Configuration Manager with just four mouse clicks.
This enables you the flexibility to transition at your own pace to modern Windows 10 Management in Intune. Look at the course download for links to Deep Dive courses on Intune here on LinkedIn Learning.
- Cyber threats targeting Windows 10
- Developing a layered defense
- Policy-based management options
- Encrypting Windows devices
- Managing privacy settings
- Working with Windows Defender
- Managing updates
- Firewall configurations
- Securing remote access and cloud data