Securing a Windows Computer

Issue / Question
Instructions on navigating how to secure a new Windows computer for security purposes. 
  • What do I enable on a new Windows computer?
  • How do I set up a Windows computer?
Environment
  • Platform
    • Windows
  • Audience Affected
    • Staff
Resolution
Note: For best viewing on portable devices, please rotate the device to view in a landscape format.
Part of our mission is to protect the confidentiality, preserve the integrity, and promote data availability for authorized use. The following are recommendations for the least restrictive way to secure the Windows Operating System.
  • Authorized Operating Systems 
    • Only Windows Enterprise is authorized for use on ISU-owned equipment. 
  • Permanently Disable
    • Wi-FI Sense - This has been deprecated in the later versions of Windows. 
Telemetry 
Telemetry for the operating system and applications must be disabled.
  1. Go to the Group Policy Editor  
  2. Select Computer Configuration
  3. Select Windows Components
  4. Select Data Collection and Preview Builds
  5. Check Allow telemetry 
  6. Check Enabled
  7. Select 0- Security [Enterprise Only]
  8. Click Apply
Inventory Collector 
Must be disabled. 
  1. Go to the Group Policy Editor
  2. Select Computer Configuration
  3. Select Windows Components
  4. Select Application Compatibility
  5. Check Turn off Inventory Collector
  6. Check Enabled
  7. Click Apply
Windows Defender 
The policy of ISU is to use McAfee Antivirus instead so defender should be disabled. 
  1. Go to the Group Policy Editor
  2. Select Computer Configuration
  3. Select Windows Components
  4. Select Windows Defender Antivirus
  5. Turn off Windows Defender Antivirus
  6. Check Enabled
  7. Click Apply
One Drive 
The only authorized location to store files is box.com, with which ISU has an agreement. 
  1. Go to the Group Policy Editor
  2. Select Computer Configuration
  3. Select Windows Components
  4. Select OneDrive
  5. Select Prevent the usage of OneDrive for file storage
  6. Check Enabled
  7. Click Apply
Retrieving Device Metadata 
Must be disabled.
  1. Go to the Group Policy Editor
  2. Select Computer Configuration
  3. Select Administrative Templates
  4. Select System
  5. Select Device Installation
  6. Select Prevent device metadata retrieval from the internet
  7. Check Enabled
  8. Click Apply
Disabled by Default 
If a system does not access a system that manages Highly Sensitive Data such as HIPPA, then these settings can be modified by the user. 
Handwriting Data Sharing
  1. Go to the Group Policy Editor
  2. Select Computer Configuration
  3. Select Administrative Templates
  4. Select System
  5. Select Internet Communications Management
  6. Select Internet Communications settings
  7. Turn off Handwriting personalization data sharing
  8. Check Enabled
  9. Click Apply
Handwriting Error Reporting 
  1. Go to the Group Policy Editor
  2. Select Computer Configuration
  3. Select Administrative Templates
  4. Select System
  5. Select Internet Communications Management
  6. Select Internet Communications settings
  7. Turn off Handwriting recognition error reporting
  8. Check Enabled
  9. Click Apply
Steps Recorder 
  1. Go to the Group Policy Editor
  2. Select Computer Configuration
  3. Select Windows Components
  4. Select Application Compatibility
  5. Select Turn off Steps Recorder
  6. Check Enabled
  7. Click Apply
Lock Screen Camera 
  1. Go to the Group Policy Editor 
  2. Select Computer Configuration
  3. Select Administrative Templates
  4. Select Control Panel\Personalization
  5. Select Prevent, enabling lock screen camera
  6. Check Enabled
  7. Click Apply
Location 
  1.  Go to the Group Policy Editor
  2. Select Computer Configuration
  3. Select Windows Components
  4. Select Location and Sensors
  5. Select Turn off location
  6. Check Enabled
  7. Click Apply
Sensors 
  1.  Go to the Group Policy Editor
  2. Select Computer Configuration
  3. Select Windows Components
  4. Select Location and Sensors
  5. Select Turn off sensors
  6. Check Enabled
  7. Click Apply
App Notifications 
  1. Go to the Group Policy Editor
  2. Select Computer Configuration
  3. Select Administrative Templates
  4. Select System\Logon
  5. Select Turn off app notifications on the lock screen
  6. Check Enabled
  7. Click Apply
Advertising ID 
  1. Go to the Group Policy Editor
  2. Select Computer Configuration
  3. Select Administrative Templates
  4. Select System
  5. Select User Profiles
  6. Select Turn off the advertising ID
  7. Check Enabled 
  8. Click Apply
Sending Writing Info 
  1.  Go to the Group Policy Editor
  2. Select Computer Configuration
  3. Select Administrative Templates
  4. Select Control Panel\Regional and Language Options
  5. Select Prevent, enabling lock screen camera
  6. Check Enabled
  7. Click Apply
Windows Feedback Requests 
  1. Go to the Group Policy Editor
  2. Select Computer Configuration
  3. Select Administrative Templates
  4. Select Windows Components
  5. Select Data Collection and Preview Builds
  6. Select Do not show feedback notifications
  7. Check Enabled
  8. Click Apply
Automatic Driver Update 
  1. Go to the Group Policy Editor
  2. Select Computer Configuration
  3. Select Administrative Templates
  4. Select Windows Components
  5. Select Windows Update
  6. Select Do not include drivers with Windows Updates
  7. Check Enabled
  8. Click​​​​​​​ Apply
Windows Customer Experience Improvement Program 
  1. Go to the Group Policy Editor
  2. Select Computer Configuration
  3. Select Administrative Templates
  4. Select System 
  5. Select Internet Communication Management
  6. Select Internet Communication Settings
  7. Select Turn off Windows Customer Experience Improvement Program
  8. Check Enabled
  9. Click Apply
Cortana 
  1. Go to the Group Policy Editor
  2. Select Computer Configuration
  3. Select Administrative Templates
  4. Select Windows Components
  5. Select Allow Cortana
  6. Check​​​​​​​ Disabled
  7. Click​​​​​​​ Apply
Location Info 
  1. Go to the Group Policy Editor
  2. Select Computer Configuration
  3. Select Administrative Templates
  4. Select Windows Components
  5. Select Location and Sensors
  6. Select Turn off location.
  7. Check Enabled
  8. Click​​​​​​​ Apply
Camera 
  1. Go to the Group Policy Editor
  2. Select Computer Configuration
  3. Select Administrative Templates
  4. Select Windows Components
  5. Select App Privacy
  6. ​​​​​​​Select Let Windows apps access the camera
  7. Check Enabled 
  8. Check that the User is in control under the options heading
  9. Click​​​​​​​ Apply
Microphone 
  1. Go to the Group Policy Editor
  2. Select Computer Configuration
  3. Select Administrative Templates
  4. Select Windows Components
  5. Select App Privacy
  6. Select Let Windows apps access the microphone
  7. Check Enabled
  8. Check that the User is in control under the options heading
  9. Click​​​​​​​ Apply
​​​​​​​Account Info 
  1. Go to the Group Policy Editor  
  2. Select Computer Configuration
  3. Select Administrative Templates
  4. Select Windows Components
  5. Select App Privacy
  6. Select Let Windows apps access the account information
  7. Check Enabled
  8. Check that the User is in control under the options heading
  9. Click​​​​​​​ Apply
Calendar 
  1. Go to the Group Policy Editor
  2. Select Computer Configuration
  3. Select Administrative Templates
  4. Select Windows Components
  5. Select App Privacy
  6. Check Let Windows apps access the calendar
  7. Check​​​​​​​ Enabled
  8. Check that the User is in control under the options heading
  9. Click​​​​​​​ Apply
Messages 
  1. Go to the Group Policy Editor  
  2. Select Computer Configuration
  3. Select Administrative Templates
  4. Select Windows Components​​​​​​​
  5. Select App Privacy
  6. Select Let Windows apps access messaging
  7. Check Enabled
  8. Check that the User is in control under the options heading
  9. Click​​​​​​​ Apply
Radios 
  1. Go to the Group Policy Editor  
  2. Select Computer Configuration
  3. Select Administrative Templates
  4. Select Windows Components
  5. Select App Privacy
  6. Select Let Windows apps control radios
  7. Check​​​​​​​ Enabled
  8. Check that the User is in control under the options heading
  9. Click​​​​​​​ Apply

Details

Article ID: 74200
Created
Wed 3/20/19 2:51 PM
Modified
Sun 12/17/23 10:59 AM