|
1 | 1 | # Policies |
2 | 2 |
|
3 | 3 | ## ./windows-baseline |
4 | | - |
5 | | -| Name | Description | |
| 4 | + |
| 5 | + | Name | Description | |
6 | 6 | | ---- | ----------- | |
7 | 7 | | Windows-Avd-AllSessionHosts | Filter for all Azure Virtual Desktop session hosts - single session and multi-session | |
8 | 8 | | Windows-Avd-MultiSession | Filter for Virtual machines running Windows 10/11 multi-session on Azure Virtual Desktop | |
9 | 9 | | Windows-Avd-SingleSession | Filter for Azure Virtual Desktop single session machines | |
10 | 10 | | Windows-EnterpriseEducation | Filter for Windows 10/11 Enterprise or Education edition | |
11 | 11 | | Windows-VirtualMachines | Filter for Microsoft Hyper-V, VMware Workstation / Fusion, Parallels Desktop, Oracle VirtualBox | |
12 | 12 | | Windows-Windows365 | Filter for Windows 365 Cloud PCs | |
13 | | -| Prod-Windows-AllDevice-CompliancePolicy | User-based Windows compliance policy that applies to all default scenarios including Windows PCs, Windows 365, and AVD single session. | |
14 | | -| Prod-Windows-AzureVirtualDesktop-CompliancePolicy | Device-based Windows compliance policy that applies to Azure Virtual Desktop multi-session - assign to All Devices with a filter that includes AVD multi-session hosts or an Entra ID group that targets those session hosts. | |
15 | | -| Prod-Windows-BitLocker | Windows BitLocker settings to enable encryption for fixed drives with the default AES 128 bit XTS encryption, enable encryption for standard users and backup of the key to Azure AD. Assign to 'All Devices' | |
16 | | -| Prod-Windows-AzureVirtualDesktop-RemoteDesktop-Device | Remote Desktop settings to apply to Azure Virtual Desktop and Windows 365 devices. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
17 | | -| Prod-Windows-BaselinePolicies-Device | Baseline configurations and policies to enable corporate device experience, restrict Windows consumer features, and configure basic lockdown on corporate device. Apply to All Devices / filters or device groups. | |
18 | | -| Prod-Windows-BaselinePolicies-User | Standard Windows corporate user interface settings to restrict access to consumer features and Microsoft accounts, configures Start menu and Taskbar options, hides public links in the Microsoft Store, etc.Apply to All Users / filters, with exceptions for specified user groups if needed. | |
19 | | -| Prod-Windows-EnableCredentialGuard-Device | Enable Hypervisor Code Protected Integrity and Credential Guard without UEFI lock for safe approach to this security setting. Use this policy as a baseline and when no other policies are managing this setting.Apply to All Devices / filters or device groups. Enabling Credential Guard for Entra ID joined AVD session hosts using storage account access to authenticate a a storage account will break that authentication. | |
20 | | -| Prod-Windows-EnableSmartScreenPhishingProtection-Device | Microsoft Defender SmartScreen settings for Windows Explorer (Windows 10, Windows 11), and Phishing Protection in Windows 11.Apply to All Devices / filters or device groups. | |
21 | | -| Prod-Windows-EnableStorageSense-Device | Storage Sense settings to clear disk space including OneDrive and Downloads folders. Note - this will remove files from Downloads and Recycle Bin.Apply to All Devices / filters or device groups. | |
22 | | -| Prod-Windows-GoogleChrome-Device | Baseline application policy settings for Google Chrome. This policy will lockdown Chrome, including preventing signing into the browser with a Google account. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
23 | | -| Prod-Windows-GoogleChrome-Extensions-Device | Configures extension settings in Google Chrome - prevents users from adding extensions, and configures a list of force installed extensions. Apply to All Devices / filters or device groups. | |
24 | | -| Prod-Windows-Microsoft365Apps-Device | Configure Microsoft 365 Apps settings - validate channel. Assumes a single Microsoft 365 Apps package has been deployed, incluing Project and Visio. Enables viewer mode so that users without licenses can use the Microsoft 365 Apps in viewer mode.Apply to All Devices / filters or device groups. | |
25 | | -| Prod-Windows-Microsoft365Apps-User | Configure user targeted policy settings for the Microsoft 365 Apps. Apply to All Users / filters or user groups. | |
26 | | -| Prod-Windows-MicrosoftDefenderAntivirus-Device | Microsoft Defender antivirus and antimalware settings. Note 'Local Admin Merge' is enabled. Assign to 'All Devices' | |
27 | | -| Prod-Windows-MicrosoftDefenderExclusions | Folder path exclusions to support Intune clients. Exclusions may need to be updated in MDE as well | |
28 | | -| Prod-Windows-MicrosoftDefenderUpdateControls-Device | Configures Microsoft Defender update channels | |
29 | | -| Prod-Windows-MicrosoftEdge-Device | Baseline Microsoft Edge settings - enforce SmartScreen, sync, basic browser settings. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
30 | | -| Prod-Windows-MicrosoftEdge-Extensions-Device | Configures extension settings in Microsoft Edge - prevents users from adding extensions, and configures a list of force installed extensions.Adds: Microsoft Editor, uBlock Origin, My Apps Secure Sign-in Extension, Microsoft Multimedia Redirection. Also enables the Edge sidebar & Copilot default extensions. | |
31 | | -| Prod-Windows-MicrosoftEdge-ProgressiveWebApps-User | Configure list of force-installed Microsoft 365 Progessive Web Apps that have no Store or Win32 application | |
32 | | -| Prod-Windows-MicrosoftOneDrive-Device | Configure OneDrive for Business including SSO and Known Folder Move.Important - validate the Tenant ID value matches the Entra ID tenant ID from this tenant.Apply to All Devices / filters or device groups. | |
33 | | -| Prod-Windows-SecurityExperience-Device | Windows Security Center settings and support contact into. Assign to 'All Users' | |
34 | | -| Prod-Windows-WindowsUpdateSettings-Device | Settings for Windows Update. Ensure Windows Update for Business reports have been configured for these settings to be applicable. | |
35 | | - |
36 | | -## ./windows-update |
37 | | - |
38 | | -| Name | Description | |
| 13 | +| Prod-Windows-AllDevice-CompliancePolicy | User-based Windows compliance policy that applies to all default scenarios including physical Windows PCs. | |
| 14 | +| Prod-Windows-AzureVirtualDesktop-CompliancePolicy | Device-based Windows compliance policy that applies to Azure Virtual Desktop session hosts - assign to All Devices with a filter that includes 'Windows-Avd-AllSessionHosts' | |
| 15 | +| Prod-Windows-Windows365-CompliancePolicy | Compliance policy for Windows 365 Cloud PCs (for feature that are not supported, e.g. BitLocker). Target All Devices with a filter that includes 'Windows-Windows365'. | |
| 16 | +| Prod-Windows-BitLocker | Windows BitLocker settings to enable encryption for fixed drives with the default AES 128 bit XTS encryption, enable encryption for standard users and backup of the key to Entra ID. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
| 17 | +| Prod-Windows-AzureVirtualDesktop-RemoteDesktop-Baseline-Device | Remote Desktop settings to apply to Azure Virtual Desktop and Windows 365 devices. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
| 18 | +| Prod-Windows-CredentialGuard-Baseline-Device | Enable Hypervisor Code Protected Integrity and Credential Guard without UEFI lock for safe approach to this security setting. Use this policy as a baseline and when no other policies are managing this setting. Credential Guard will break authentication to Azure Files where virtual machines are using account keys instead of Kerberos. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
| 19 | +| Prod-Windows-DeliveryOptimization-Baseline-Device | Windows 10/11 Delivery Optimization settings. Validate Windows Autopilot and application deployment functionality after applying to devices. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
| 20 | +| Prod-Windows-DeviceLockSignIn-Baseline-Device | Configurations for device lock and sign-in. Apply to All Devices with optional features, or copy to create settings to apply to different device types | |
| 21 | +| Prod-Windows-GoogleChrome-Baseline-Device | Baseline application policy settings for Google Chrome. This policy will lockdown Chrome, including preventing signing into the browser with a Google account. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
| 22 | +| Prod-Windows-GoogleChrome-Extensions-Baseline-Device | Configures extension settings in Google Chrome - prevents users from adding extensions, and configures a list of force installed extensions. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
| 23 | +| Prod-Windows-Microsoft365Apps-Baseline-Device | Configure Microsoft 365 Apps settings - validate channel. Assumes a single Microsoft 365 Apps package has been deployed, including Project and Visio - viewer mode is enabled so that users without a license can use these applications in viewer mode. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
| 24 | +| Prod-Windows-Microsoft365Apps-Baseline-User | Configure user targeted policy settings for the Microsoft 365 Apps. Apply to All Users (optionally with filters) or Entra ID user groups. | |
| 25 | +| Prod-Windows-MicrosoftDefenderAntivirus-Baseline-Device | Microsoft Defender antivirus and antimalware settings. Note 'Local Admin Merge' is enabled. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
| 26 | +| Prod-Windows-MicrosoftDefenderExclusions-Baseline-Device | Folder path exclusions to support Intune clients. Exclusions may need to be updated in MDE as well. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
| 27 | +| Prod-Windows-MicrosoftDefenderUpdateControls-Device | Configures Microsoft Defender update channels. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
| 28 | +| Prod-Windows-MicrosoftEdge-Baseline-Device | Baseline Microsoft Edge settings - enforce SmartScreen, sync, basic browser settings. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
| 29 | +| Prod-Windows-MicrosoftEdge-Extensions-AVDW365-Baseline-Device | Configures extension settings in Microsoft Edge - prevents users from adding extensions, and configures a list of force installed extensions. Adds: Microsoft Editor, uBlock Origin, My Apps Secure Sign-in Extension, Multimedia Redirection. Also enables the Edge sidebar & Copilot default extensions. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
| 30 | +| Prod-Windows-MicrosoftEdge-Extensions-Physical-Baseline-Device | Configures extension settings in Microsoft Edge - prevents users from adding extensions, and configures a list of force installed extensions. Adds: Microsoft Editor, uBlock Origin, My Apps Secure Sign-in Extension. Also enables the Edge sidebar & Copilot default extensions. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
| 31 | +| Prod-Windows-MicrosoftEdge-ProgressiveWebApps-User | Configure list of force-installed Microsoft 365 Progessive Web Apps that have no Store or Win32 application equivalent. Apply to All Users (optionally with filters) or Entra ID user groups. | |
| 32 | +| Prod-Windows-MicrosoftOneDrive-Baseline-Device | Configure OneDrive for Business including SSO and Known Folder Move. Important - Update tenant GUID from the Entra ID. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
| 33 | +| Prod-Windows-SecurityExperience-Baseline-Device | Windows Security Center settings and support contact into. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
| 34 | +| Prod-Windows-SmartScreenPhishingProtection-Baseline-Device | Microsoft Defender SmartScreen settings for Windows Explorer (Windows 10, Windows 11), and Phishing Protection in Windows 11. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
| 35 | +| Prod-Windows-StorageSense-Baseline-Device | Storage Sense settings to clear disk space including OneDrive and Downloads folders. Note - this will remove files older than 60 days from the users' Downloads folder and Recycle Bin. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
| 36 | +| Prod-Windows-WindowsUpdateSettings-Baseline-Device | Settings for Windows Update. Ensure Windows Update for Business reports have been configured for these settings to be applicable. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
| 37 | + |
| 38 | + ## ./windows-update |
| 39 | + |
| 40 | + | Name | Description | |
39 | 41 | | ---- | ----------- | |
40 | 42 | | (GoLive) Prod_Win11_WindowsFeature_24H2 | ** Do not modify without prior approval **Baseline:- Windows 11 24H2 | |
41 | 43 | | (GoLive) Prod_Win_SC_EdgeUpdates_Broad | ** Do not modify without prior approval **Baseline:- Assign to group "Intune-Win-Corporate-Device-Dynamic"Deploys Edge Stable Channel Updates. This policy is required by the Windows Autopatch service. | |
|
47 | 49 | | (GoLive) Prod_Win_WindowsUpdates_Broad | ** Do not modify without prior approval **Baseline:- Assign to group "Intune-Win-Corporate-Device-Dynamic"- Quality update deferral period (days) - 3 | |
48 | 50 | | (GoLive) Prod_Win_WindowsUpdates_Limited | ** Do not modify without prior approval **Baseline:- Assign to group "Intune-Win-UpdateRingLimited-Device-Assigned". | |
49 | 51 | | (GoLive) Prod_Win_WindowsUpdates_Preview | ** Do not modify without prior approval **Baseline:- Assign to group "Intune-Win-UpdateRingPreview-Device-Assigned". | |
50 | | - |
51 | | -## ./windows-extras |
52 | | - |
53 | | -| Name | Description | |
| 52 | + |
| 53 | + ## ./windows-extras |
| 54 | + |
| 55 | + | Name | Description | |
54 | 56 | | ---- | ----------- | |
55 | 57 | | Win10_Autopilot | Windows Autopilot devices | |
56 | 58 | | Win10_DeviceGuard | Filter to be applied to "Prod_Win_Catalog_DeviceGuard" configuration. Device Guard only works with Enterprise and Education versions of Windows OS. | |
|
110 | 112 | | GoLive - Set OneDrive client to add SharePoint Online location | Let the OneDrive client add a SharePoint Online team site library to Windows Explorer, to improve usability for users. Please set your customer's SharePoint Online Library ID by overriding the $InheritedVars.SPOLibraryID variable at the customer level. To get the required library ID, please refer to https://docs.microsoft.com/en-us/onedrive/use-group-policy#AutoMountTeamSites. | |
111 | 113 | | GoLive - Storage | Customer Config - Enabling Storage Sense | |
112 | 114 | | GoLive - Windows Autopilotv2 device preparation policies | | |
113 | | - |
114 | | -## ./windows-asr |
115 | | - |
116 | | -| Name | Description | |
| 115 | + |
| 116 | + ## ./windows-asr |
| 117 | + |
| 118 | + | Name | Description | |
117 | 119 | | ---- | ----------- | |
118 | 120 | | 0_Prod-Windows-ASR-AllAudit-Device | All Attack Surface Reduction rules in Audit mode. https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
119 | 121 | | 1_Prod-Windows-ASR-StandardBlock-Device | Standard Protection Attack Surface Reduction rules in Block mode, with all other ASR rules in Audit mode. https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-reference. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
120 | | - |
121 | | -## ./macos |
122 | | - |
123 | | -| Name | Description | |
| 122 | + |
| 123 | + ## ./macos |
| 124 | + |
| 125 | + | Name | Description | |
124 | 126 | | ---- | ----------- | |
125 | 127 | | Prod-macOS-CompliancePolicy | Compliance policy for all macOS devices. Apply by default to All Users. Note - changing the device password requirements will force a password change on all existing devices that have received this policy | |
126 | 128 | | Prod-macOS-EntraIDSingleSignOn-Device | Enable Entra ID single sign-on | |
127 | 129 | | Prod-macOS-MicrosoftEdge-Custom-Device | Microsoft Edge preferences file for default settings and settings not available in the Settings Catalog. | |
128 | 130 | | Prod-macOS-MicrosoftEdge-Device | Baseline Microsoft Edge settings - enforce SmartScreen, sync, basic browser settings. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
129 | 131 | | Prod-macOS-MicrosoftEdge-Extensions-Device | Configures extension settings in Microsoft Edge - prevents users from adding extensions, and configures a list of force installed extensions. Adds: Microsoft Editor, uBlock Origin, My Apps Secure Sign-in Extension. Also enables the Edge sidebar & Copilot default extensions. Apply to All Devices (optionally with filters) or Entra ID device groups. | |
| 132 | + |
| 133 | + |
0 commit comments