Recommand same build across Laptop & Desktop
Choose Hardware from Tier1 vendor (IBM,HP,Dell) these provide firmware updates for longer. Favor hardware that include; TPM module, finger print scanner.
WakeOnLan = on
Wake @ 7am a standard time for installing updates
Power loss state = last
TPM = on Trusted Platform Module
Windows 10 Enterprise; to avoid users unknowingly or purposefully installing malware, engage “S mode“. Which only allows installs from Windows store. This can be enabled after installing company standard software. Controlling this via Group Policy may require a Forest and Domain level upgrade as it is a newer feature. This trade off allows users to install programs that have passed the scrutiny of the Microsoft Store. To manually test this, Settings > Apps > Apps & Features; under the Installing Apps heading, choose Allow Apps From The Store Only. I will be testing how this feature works with Group Policy Published Applications.
Rename local administrator to AdminL, set 63 char password
Automatic Updates @ 7am
System Restore ON
HVCI ON https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity
Disable WPAD http://increasec.com/wp-admin/post.php?post=82&action=edit
Wins/Netbios/MasterBrowser Off. Set 1-2 wired PC’s ON (per subnet) if no Domain present.
Disable Powershell to Public http://increasec.com/wp-admin/post.php?post=167&action=edit
uBlock Origin plugin
NonEmail Chat Microsoft Teams/Slack/RocketChat/Telegram/Wire/Signal/Google Hangouts
Asset Mgt Spiceworks?
VPN Client Fortinet / ZeroTier / Tunnel Bear
Fingerprint reader https://www.amazon.ca/Fingerprint-PQI-Matching-Biometric-Security/dp/B06XG4MHFJ/ref=sr_1_5?keywords=fingerprint+keyboard&qid=1566494596&s=gateway&sr=8-5
Remote access laptop teamviewer, remotedesktop.google.com, splashtop
Video Conference & screen sharing; WebEx / Zoom / Join.me / BigBlueButton