Standard Laptop build

1st October 2019

Recommand same build across Laptop & Desktop

Choose Hardware from Tier1 vendor (IBM,HP,Dell) these provide firmware updates for longer. Favor hardware that include; TPM module, finger print scanner.
Bios
WakeOnLan = on
Wake @ 7am a standard time for installing updates
Power loss state = last
TPM = on Trusted Platform Module
Windows 10 Enterprise; to avoid users unknowingly or purposefully installing malware, engage “S mode“. Which only allows installs from Windows store. This can be enabled after installing company standard software. Controlling this via Group Policy requires a Forest and Domain level of Windows2016+. This trade off allows users to install programs that have passed the scrutiny of the Microsoft Store. To manually test this, Settings > Apps > Apps & Features; under the Installing Apps heading, choose Allow Apps From The Store Only. I will be testing how this feature works with Group Policy Published Applications. Link
encrypted HDD
Rename local administrator to AdminL, set 63 char password
Automatic Updates @ 7am
System Restore ON
HVCI ON https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity
Disable WPAD http://increasec.com/wp-admin/post.php?post=82&action=edit
Wins/Netbios/MasterBrowser Off. Set 1-2 wired PC’s ON (per subnet) if no Domain present.
Disable Powershell to Public http://increasec.com/wp-admin/post.php?post=167&action=edit
Firefox / Chrome browser
uBlock Origin plugin
LastPass plugin
NonEmail Chat Microsoft Teams/Slack/RocketChat/Telegram/Wire/Signal/Google Hangouts
Asset Mgt Spiceworks?
VPN Client Fortinet / ZeroTier / Tunnel Bear
Fingerprint reader https://www.amazon.ca/Fingerprint-PQI-Matching-Biometric-Security/dp/B06XG4MHFJ/ref=sr_1_5?keywords=fingerprint+keyboard&qid=1566494596&s=gateway&sr=8-5
Remote access laptop teamviewer, remotedesktop.google.com, splashtop
Video Conference & screen sharing; WebEx / Zoom / Join.me / BigBlueButton

Disable IPv6; windows prefers IPv6 over IPv4. an intruder can use this to create a Preferred DC or DNS service.

Windows Admin Center; convenient management