The Blueprint Security step collects settings and preferences that make the Windows 10 device safer for business use but at the same time safeguarding privacy. The Security component of a Blueprint is exclusive to Workspace ONE Express+.

You can select settings including password complexity, privacy and VPN settings, device restrictions, encryption and firewall settings, and settings to integrate Defender and BIOS updates from Dell.

If you are interested in a Workspace ONE Express+ license, see Upgrade from Workspace ONE Express.

Password

This section of the Blueprint configuration enables you to customize password settings including complexity, minimum length, among many others.

Settings Descriptions
Password Complexity

Set to Simple or Complex to your preferred level of password difficulty.

Require Alphanumeric Enable to require the passcode to contain alphanumeric characters.
Minimum Password Length Enter the minimum number of characters a Password must contain.
Maximum Password Age (days) Enter the maximum number of days that elapse before the end user is required to change the Password.
Device Lock Timeout (in Minutes) Enter the number of minutes before the device automatically locks and requires a passcode re-entry.
Maximum Number of Failed Attempts Enter the maximum number of attempts the end user can enter before the device is restarted.
Password History (occurrences)

Enter the number of occurrences a password is remembered. The larger this number, the more strict it becomes.

For example, if you set the history to 12, an end user cannot reuse the past 12 passwords.

Restrictions

Select from options including allowing (or disallowing) devices to unenroll, location service use, diagnostic and telemetry data use, sign-in options, VPN, bluetooth, camera, Cortana, USB storage, application use settings, and network settings.

  1. Configure the Administration settings.
    Settings Description
    Allow MDM Unenrollment

    Allow the end user to unenroll from Workspace ONE Express manually through the Workplace/Work Access enrollment.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

  2. Configure the Security & Privacy settings.
    Settings Description
    Location

    Select how location services run on the device.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Send Diagnostic and Usage Telemetry Data

    Select the level of telemetry data to send to Microsoft.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

  3. Configure the general Settings.
    Settings Description
    Allow User to Change Sign-In Options

    Allow the user to change the Sign-In Options.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    VPN

    Allow the user to change the VPN settings.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Allow User to Change Workplace Settings

    Allow the user to change Workplace settings and change how MDM functions on the device.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Allow the User to Change Account Settings

    Allow the user to change Account settings.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

  4. Configure the Bluetooth settings.
    Settings Description
    Bluetooth

    Allow the use of Bluetooth on the device.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

  5. Configure the Device Functionality settings.
    Settings Description
    Camera

    Allow access the camera function of the device.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Cortana

    Allow access to the Cortana application.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Smart Screen

    Enable to allow the end user to use the Microsoft SmartScreen feature, which is a form of security requesting the end user to draw shapes on an image to unlock the device. This option also allows end users to use PINs as their passcode.

    Note: After you disable function, you cannot reenable it through Workspace ONE UEM MDM. To reenable it, you must factory reset the device.

    The restriction does not apply to Windows 10 Home edition devices.

    USB Storage Enable to allow the connection of USB storage devices.
  6. Configure the Applications settings.
    Settings Description
    Allow Non-Windows Store Applications

    Allows the downloading and installation of applications not trusted by the Microsoft Store.

    This restriction applies to all Windows 10 devices.

    Allow App Store Auto Updates

    Enable to allow apps downloaded from the Microsoft Store to update automatically when new versions are available.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Allow Developer Unlock

    Allows the use of the Developer Unlock setting for sideloading applications onto devices.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Allow DVR & Game Broadcasting

    Enable to allow the recording and broadcasting of games on the device.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

  7. Configure the Network settings.
    Setting Description
    Allow Auto Connect to Wi-Fi Hotspots

    Enable to allow the device to connect to Wi-Fi hotspots automatically using the Wi-Fi Sense functionality.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Allow Cellular Data On Roaming

    Enable to allow cellular data use while roaming.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

    Allow Internet Sharing

    Enable to allow Internet sharing between devices.

    This restriction applies to Windows 10 devices only and is not supported for Windows 10 Home edition devices.

Encryption

Select from several encryption options such as whether to encrypt the entire hard disk or just the system partition, encryption method (default versus multiple 128-bit and 256-bit options), and BitLocker Authentication settings.

  1. Complete the Configure Encryption settings.
    Settings Descriptions
    Encrypted Volume

    Use the drop-down menu to select the type of encryption as follows.

    • Complete Hard Disk – Encrypts the entire hard disk on the device, including the System Partition where the OS is installed.
    • System Partition – Encrypts a partition or drive in the same location Windows is installed and from which it starts.
    Encryption Method Select the encryption method for the device. These settings are only supported on Windows 10 1511 and later.
    Only Encrypt Used Space During Initial Encryption Enable to limit the BitLocker encryption to only the used space on the drive at the time of encryption.
    Force Encryption

    Enable to force encryption on the device. This enforcement means that the device immediately re-encrypts if BitLocker is manually disabled.

    Consider disabling this setting to prevent issues during upgrades or Enterprise Wipes.

  2. Configure the BitLocker Authentication Settings.
    Authentication Mode

    Select the method for authenticating access to a BitLocker encrypted device.

    • TPM — Uses the devices Trusted Platform Module. Requires a TPM on the device.
    • Password — Uses a password to authenticate.
    Enforce Encryption PIN on Login

    Select the check box to require users to enter a PIN to unlock the device.

    This option locks out the OS startup and auto-resumes from suspend or hibernate until the user enters the correct PIN.

    To remove an existing pre-authorization PIN from an enrolled device, the end user must decrypt their device and re-encrypt with the updated encryption profile.

    Use Password if TPM Not present

    Select the check box to use a password as a fallback to decrypt the device if the TPM is unavailable.

    If this setting is not enabled, any devices without a TPM do not encrypt.

Firewall

Configure how the firewall behaves when connected to Domain, Private, and Public networks.

Setting Description
Firewall Set to Enable and enforce policy settings on the network traffic. If disabled, the device allows all network traffic, regardless of other policy settings.
Outbound Action Select the default action the firewall takes on outbound connections.

If you set this setting to Block, the firewall blocks all outbound traffic unless explicitly specified otherwise.

Inbound Action Select the default action the firewall takes on inbound connections.

If you set this setting to Block, the firewall blocks all inbound traffic unless explicitly specified otherwise.

Notify User When Windows Firewall Blocks a New App Set the notification behavior for the firewall.

If you select Enable, the firewall can send notifications to the user when it blocks a new app. If you select Disable, the firewall does not send any notifications.

Defender

You can make Windows Defender a part of your Blueprint by enabling and configuring its use on Windows 10 device. Options include threat default actions, selecting how much CPU to devote to a scan, enabling full scans and quick scans, and how long to wait before quarantined files are discarded.

  1. Configure the Real-Time Monitoring settings.
    Setting Description
    Real-time Monitoring Enable to activate the real-time monitoring component of Defender.
  2. Configure the Exclusions settings.
    Setting Description
    Exclusions Select the Add New button to exclude a Path, a file Extension, or a Process from Defender scans.
  3. Configure the Threat Default Action settings to determine the default action when Defender encounters various levels of threat: Low, Moderate, High, and Severe.
    • Not Configured
    • Clean — Select to clean the issues with the threat.
    • Quarantine — Select to separate the threat into a quarantine folder.
    • Remove — Select to remove the threat from the device.
    • Allow — Select to allow the threat to stay.
    • User Defined — Select to let the user decide how the threat should be handled.
    • Block — Select to block the threat from accessing the device.
  4. Configure the Advanced settings.
    Setting Description
    Scan Avg CPU Load Factor (%)

    Allows you to set the average CPU load factor as a percentage, limiting the CPU load Defender is allowed to use during scans.

    The larger this number, the faster Defender can complete scans, but at the same time, the fewer CPU cycles are available for other tasks.

    Catchup Full Scan

    Enable to allow the running of a full scan that was interrupted or missed previously.

    A catch-up scan is a scan that is initiated because a regularly scheduled scan was missed. Usually these scheduled scans are missed because the device was turned off at the scheduled time.

    Catchup Quick Scan Enable to allow the running of a quick scan that was interrupted or missed previously.
    Remove Quarantined Files After Set how long files are kept in quarantine before being deleted permanently.

BIOS

If you are a Dell customer, you can incorporate BIOS updates into the Blueprints for your Windows 10 devices from Dell.

  1. Configure the Security settings.
    Setting Description
    BIOS Password

    Enter the password used to unlock the BIOS of the device.

    This text box is required.

    TPM Chip Select Enable and enable the device Trusted Platform Module chip.
  2. Configure the Boot settings.
    Setting Description
    Boot Mode (drop-down menu) Select whether the device starts in BIOS or UEFI mode.
    Boot Mode Protection (check box)

    Safeguards the start settings of a device when Boot Mode is changed.

    Disabling Boot Mode Protection can prevent the currently installed operating system from booting if Boot Mode is changed.

    Secure Boot

    Select Enable and use Secure Boot settings on the device. You cannot disable Secure Boot with DCM. If your devices already use Secure Boot, you must manually disable the settings on the device.

    Secure Boot requires Boot Mode to be set to UEFI and Legacy Option ROMS to be set to Disable.

    Legacy Option ROMS Select Enable and allow the use of legacy option ROMS during the boot process.
  3. Configure the Virtualization settings.
    Setting Description
    CPU Virtualization Select Enable and allow hardware virtualization support.
    Virtualization IO Select Enable and allow input/output virtualization.
    Trusted Execution

    Select Enable and allow the device to use the TPM chip, CPU Virtualization, and Virtualization IO for trust decisions.

    Trust Execution requires the TPM Chip, CPU Virtualization, and Virtualization IO settings to be set to Enabled.