Issue / Question
Instructions on navigating how to secure a new Windows computer for security purposes.
Environment
-
Platform
-
Audience Affected
Resolution
Note: For best viewing on portable devices, please rotate the device to view in a landscape format.
Part of our mission is to protect the confidentiality, preserve the integrity, and promote data availability for authorized use. The following are recommendations for the least restrictive way to secure the Windows Operating System.
- Authorized Operating Systems
- Only Windows Enterprise is authorized for use on ISU-owned equipment.
-
- Wi-FI Sense - This has been deprecated in the later versions of Windows.
Telemetry for the operating system and applications must be disabled.
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Windows Components
-
Select Data Collection and Preview Builds
-
Check Allow telemetry
-
Check Enabled
-
Select 0- Security [Enterprise Only]
-
Click Apply
Must be disabled.
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Windows Components
-
Select Application Compatibility
-
Check Turn off Inventory Collector
-
Check Enabled
-
Click Apply
The policy of ISU is to use McAfee Antivirus instead so defender should be disabled.
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Windows Components
-
Select Windows Defender Antivirus
-
Turn off Windows Defender Antivirus
-
Check Enabled
-
Click Apply
The only authorized location to store files is box.com, with which ISU has an agreement.
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Windows Components
-
Select OneDrive
-
Select Prevent the usage of OneDrive for file storage
-
Check Enabled
-
Click Apply
Retrieving Device Metadata
Must be disabled.
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Administrative Templates
-
Select System
-
Select Device Installation
-
Select Prevent device metadata retrieval from the internet
-
Check Enabled
-
Click Apply
If a system does not access a system that manages Highly Sensitive Data such as HIPPA, then these settings can be modified by the user.
Handwriting Data Sharing
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Administrative Templates
-
Select System
-
Select Internet Communications Management
-
Select Internet Communications settings
-
Turn off Handwriting personalization data sharing
-
Check Enabled
-
Click Apply
Handwriting Error Reporting
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Administrative Templates
-
Select System
-
Select Internet Communications Management
-
Select Internet Communications settings
-
Turn off Handwriting recognition error reporting
-
Check Enabled
-
Click Apply
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Windows Components
-
Select Application Compatibility
-
Select Turn off Steps Recorder
-
Check Enabled
-
Click Apply
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Administrative Templates
-
Select Control Panel\Personalization
-
Select Prevent, enabling lock screen camera
-
Check Enabled
-
Click Apply
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Windows Components
-
Select Location and Sensors
-
Select Turn off location
-
Check Enabled
-
Click Apply
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Windows Components
-
Select Location and Sensors
-
Select Turn off sensors
-
Check Enabled
-
Click Apply
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Administrative Templates
-
Select System\Logon
-
Select Turn off app notifications on the lock screen
-
Check Enabled
-
Click Apply
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Administrative Templates
-
Select System
-
Select User Profiles
-
Select Turn off the advertising ID
-
Check Enabled
-
Click Apply
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Administrative Templates
-
Select Control Panel\Regional and Language Options
-
Select Prevent, enabling lock screen camera
-
Check Enabled
-
Click Apply
Windows Feedback Requests
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Administrative Templates
-
Select Windows Components
-
Select Data Collection and Preview Builds
-
Select Do not show feedback notifications
-
Check Enabled
-
Click Apply
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Administrative Templates
-
Select Windows Components
-
Select Windows Update
-
Select Do not include drivers with Windows Updates
-
Check Enabled
-
Click Apply
Windows Customer Experience Improvement Program
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Administrative Templates
-
Select System
-
Select Internet Communication Management
-
Select Internet Communication Settings
-
Select Turn off Windows Customer Experience Improvement Program
-
Check Enabled
-
Click Apply
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Administrative Templates
-
Select Windows Components
-
Select Allow Cortana
-
Check Disabled
-
Click Apply
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Administrative Templates
-
Select Windows Components
-
Select Location and Sensors
-
Select Turn off location.
-
Check Enabled
-
Click Apply
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Administrative Templates
-
Select Windows Components
-
Select App Privacy
-
Select Let Windows apps access the camera
-
Check Enabled
-
Check that the User is in control under the options heading
-
Click Apply
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Administrative Templates
-
Select Windows Components
-
Select App Privacy
-
Select Let Windows apps access the microphone
-
Check Enabled
-
Check that the User is in control under the options heading
-
Click Apply
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Administrative Templates
-
Select Windows Components
-
Select App Privacy
-
Select Let Windows apps access the account information
-
Check Enabled
-
Check that the User is in control under the options heading
-
Click Apply
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Administrative Templates
-
Select Windows Components
-
Select App Privacy
-
Check Let Windows apps access the calendar
-
Check Enabled
-
Check that the User is in control under the options heading
-
Click Apply
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Administrative Templates
-
Select Windows Components
-
Select App Privacy
-
Select Let Windows apps access messaging
-
Check Enabled
-
Check that the User is in control under the options heading
-
Click Apply
-
Go to the Group Policy Editor
-
Select Computer Configuration
-
Select Administrative Templates
-
Select Windows Components
-
Select App Privacy
-
Select Let Windows apps control radios
-
Check Enabled
-
Check that the User is in control under the options heading
-
Click Apply