SkipToTheEndpoint
diff --git a/‎BYOD/README.md‎
Lines changed: 5 additions & 0 deletions b/‎BYOD/README.md‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎CHANGELOG.md‎
Lines changed: 90 additions & 17 deletions b/‎CHANGELOG.md‎
Lines changed: 90 additions & 17 deletions
diff --git a/‎MACOS/README.md‎
Lines changed: 7 additions & 0 deletions b/‎MACOS/README.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 13 additions & 9 deletions b/‎README.md‎
Lines changed: 13 additions & 9 deletions
diff --git a/‎SETTINGSGUIDANCE.md‎
Lines changed: 4 additions & 0 deletions b/‎SETTINGSGUIDANCE.md‎
Lines changed: 4 additions & 0 deletions
@@ -0,0 +1,5 @@
+# OIB BYOD App Protection
+
+## Microsoft App Protection Framework
+
+[Data protection framework using app protection policies | Microsoft Learn](https://learn.microsoft.com/en-us/mem/intune/apps/app-protection-framework)
@@ -1,22 +1,89 @@
 # Change Log
 
+# v3.2 - 2024-08-02
+## Added
+### Settings Catalog
+**Win - OIB - Device Security - D - Config Refresh - v3.2**
+* Added configuration to enable Config Refresh and re-apply settings on a 30 minute cadence.
+> [!NOTE]
+> Please read the article to understand the implications of applying this setting:
+>
+> [Intro to Config Refresh – a refreshingly new MDM feature](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/intro-to-config-refresh-a-refreshingly-new-mdm-feature/ba-p/4176921)
+
+**Win - OIB - Device Security - D - Location and Privacy - v3.2**
+* Added configuration to enable the location service while still allowing users to be in control of their privacy settings, but force allow the Settings App and the new Outlook client to access location data.
+
+**Win - OIB - Microsoft Accounts - D - Configuration - v3.2**
+* Replaced the user-based policy with a device-based policy with additional settings to restrict the use of MSA's.
+
+**Win - OIB - Windows Hello for Business - D - WHfB Configuration - v3.2**
+* The last non-Settings Catalog profile type, Account Protection (Preview) has finally been updated to the Settings Catalog format! The policy does have some changes when compared to the previous version and is also using Device scope settings rather than User, so please review the settings. The new template is also (currently) missing the "Allow biometric authentication" setting, so biometrics are enabled by default providing the device has biometric-capable hardware.
+
+## Changed/Updated
+### Settings Catalog
+**Win - OIB - Device Security - D - Windows Subsystem for Linux**
+* Updated the policy to match the Microsoft recommended settings for WSL documented here: 
+<br>[Intune Settings for WSL | Microsoft Learn](https://learn.microsoft.com/en-us/windows/wsl/intune#recommended-settings)
+<br> Thanks to [Peter van der Woude](https://x.com/pvanderwoude) for bringing my attention to the MS documentation.
+
+**Win - OIB - Device Security - U - Power and Device Lock**
+* Changed "Allow Hibernate" from "Enabled" to "Disabled". By having Hibernate enabled, "Require use of fast startup" being set to "Disabled" was not actually being enforced, leading to HiberBoot still working.
+
+**Win - OIB - Microsoft OneDrive - D - Configuration**
+* Added some additional file types to the block list for sync. Rationale for the additions are due to potential file corruption or security risks.
+<br>Added: Access (.accdb, .mdb), Scripts (.bat, .cmd, .vbs), Registry (.reg), Java (.jar), Disk Image (.img, .iso), and Virutal Hard Drive (.vhd, .vhdx, .vmdk).
+<br>Thanks to [Jóhannes](https://x.com/jgkps) for the suggestions!
+> [!NOTE]
+> As always, these are purely recommendations and should be adjusted to suit your environment.
+
+**Win - OIB - Microsoft Store - U - Configuration**
+* Removed "Require Private Store Only" setting to match the Microsoft recommendation on restricting access to the Microsoft Store:
+<br>[Configure access to the Microsoft Store app - Configure Windows | Microsoft Learn](https://learn.microsoft.com/en-us/windows/configuration/store/?tabs=intune)
+
+
+### Endpoint Security
+**Win - OIB - Defender Antivirus - D - AV Configuration**
+* Configured "Metered Connection Updates" to "Allowed" to ensure AV updates are still applied on metered connections.
+
+**Win - OIB - Defender Antivirus - D - Security Experience**
+* Added settings to ensure users are prompted via notifications for any actions taken by Defender Antivirus.
+<br>To enhance this policy further, consider enabling the Customized Toasts and in-app Customization settings to give users confidence that notifications are legitimate.
+
+
+## Removed
+**Win - OIB - Microsoft Accounts - U - Configuration**
+* Replaced by device-based policy, Win - OIB - Microsoft Accounts - D - Configuration - v3.2.
+
+**Win - OIB - Windows Hello for Business - U - WHfB Configuration**
+* Replaced by the newer Settings Catalog policy, Win - OIB - Windows Hello for Business - D - WHfB Configuration - v3.2.
+
+---
+
 # v3.1.1 - 2024-04-15
-### <u>Changed</u>
-#### <u>Settings Catalog</u>
+
+## Changed/Updated
+### Settings Catalog
 **Win - OIB - Internet Explorer (Legacy) - D - Security**
 * Resolved some policies that were mis-aligned with MS Baseline.
 
-## v3.1 - 2024-04-10
+**Win - OIB - Microsoft OneDrive - D - Configuration**
+* Fixes for #8 and #19.
+
+---
+
+# v3.1 - 2024-04-10
 
-### <u>Added</u>
-#### <u>Settings Catalog</u>
+## Added
+### Settings Catalog
 **Win - OIB - Credential Management - D - Passwordless - v3.1**
 * Added device policy to enable passwordless & web sign-in experiences, as well as setting WHfB as the default credential provider. 
-<br> **NOTE:** This can have an impact on the use of things like Run as Administrator and LAPS, so if you're doing that or not using WHfB (you should be), don't enable this policy.
+> [!WARNING]
+> This can have an impact on the use of things like Run as Administrator and LAPS, so if you're doing that or not using WHfB (you should be), don't enable this policy.
 
 **Win - OIB - Defender Antivirus - D - Additional Configuration - v3.1**
 * Added a number of settings not configurable via the Defender Antivirus policy in Endpoint Security.
-<br> **NOTE:** The "Hide Exclusions from Local Admins/Local Users" settings may make it difficult to troubleshoot issues from the endpoint, but ensure an attacker cannot identify any vulnerable excluded locations. Apply with caution.
+> [!NOTE]
+> The "Hide Exclusions from Local Admins/Local Users" settings may make it difficult to troubleshoot issues from the endpoint, but ensure an attacker cannot identify any vulnerable excluded locations. Apply with caution.
 
 **Win - OIB - Device Security - D - Windows Subsystem for Linux - v3.1**
 * Added device policy to restrict the use of WSL.
@@ -26,7 +93,8 @@
 
 **Win - OIB - Device Security - D - User Rights - v3.1**
 * Added policy to match the CIS L1 Intune Windows 11 baseline settings for User Rights configurations.
-<br> **NOTE:** I'm specifically using the [well-known SIDs](https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids) for the settings to ensure they work correctly regardless of the language of the OS. There is currently a requirement to use `(<![CDATA[]]>)` rather than `S-1-0-0` for a "No One" entry due to the way the CSP processes the policy.
+> [!NOTE]
+> I'm specifically using the [well-known SIDs](https://learn.microsoft.com/en-us/windows/win32/secauthz/well-known-sids) for the settings to ensure they work correctly regardless of the language of the OS. There is currently a requirement to use `(<![CDATA[]]>)` rather than `S-1-0-0` for a "No One" entry due to the way the CSP processes the policy.
 
 **Win - OIB - Network - D - BITS Configuration - v3.1**
 * Added setting to enable BITS Peercaching as well as turning on BranchCache and Distributed Cache mode.
@@ -37,11 +105,11 @@
 **Win - OIB - Windows Update for Business - D - Restart Warnings - v3.1**
 * Added policy to extend the scheduled and imminent restart warnings and force the user to manually dismiss them. No more "I didn't see the warning" excuses.
 
-#### <u>Endpoint Security</u>
+### Endpoint Security
 **Win - OIB - Defender Antivirus - D - Default Exclusions - v3.1**
 * Added a default AV exclusions policy based on NCSC recommendations.
 
-#### <u>Compliance</u>
+### Compliance
 Added separate compliance policies to allow for much better granularity and control over compliance grace periods:
 
 **Win - OIB - Compliance - U - Defender for Endpoint - v3.1**
@@ -56,8 +124,9 @@ Added separate compliance policies to allow for much better granularity and cont
 **Win - OIB - Compliance - U - Password - v3.1**
 * No Grace Period/Mark as non-compliant immediately
 
-### <u>Changed</u>
-#### <u>Settings Catalog</u>
+
+## Changed/Updated
+### Settings Catalog
 **Win - OIB - Device Security - D - Audit and Event Logging**
 * Aligned settings to match CIS L1.
 
@@ -69,7 +138,10 @@ Added separate compliance policies to allow for much better granularity and cont
 
 **Win - OIB - Device Security - U - Device Guard, Credential Guard and HVCI**
 * Added "Configure Lsa Protected Process" setting to "Enabled without UEFI lock.". The reasoning for setting this and other settings to **without** UEFI lock is that it allows for easier troubleshooting and rollback if required, documented [here](https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#remove-the-lsa-protection-uefi-variable). It can be set to **with** UEFI lock once satisfied with the configuration.
-<br> **NOTE:** Fresh installations of Windows 11 22H2 or later have LSA protection enabled by default: [Configure added LSA protection | Microsoft Learn](https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#automatic-enablement)
+> [!IMPORTANT]
+> Fresh installations of Windows 11 22H2 or later have LSA protection enabled by default:
+>
+> [Configure added LSA protection | Microsoft Learn](https://learn.microsoft.com/en-us/windows-server/security/credentials-protection-and-management/configuring-additional-lsa-protection#automatic-enablement)
 
 **Win - OIB - Internet Explorer (Legacy) - D - Security**
 * Amended a number of settings to ensure alignment with the Intune Win11 23H2 baseline and changed from a user-based recommendation to a device-based. Why won't Internet Explorer just die already?
@@ -85,7 +157,7 @@ Added separate compliance policies to allow for much better granularity and cont
 * Added the "Set the sync app update ring" setting configured to "Production" to keep the OneDrive sync client up to date.
 
 **Win - OIB - Microsoft Store - D - Configuration**
-* Changed "Block Non Admin User Install" and "Allow All Trusted Apps" from "Block" to "Allow" and "Explicit allow unlock." to "Explicit deny" respectively as per suggestion [here](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/discussions/4) - You'd think "Block" would mean it's blocked, but no, thanks Microsoft.
+* Changed "Allow All Trusted Apps" from "Explicit allow unlock." to "Explicit deny" respectively as per suggestion [here](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/discussions/4) - You'd think "Block" would mean it's blocked, but no, thanks Microsoft.
 * Removed "Block Non Admin User Install" and added "MSI Allow User Control Over Install" set to "Disabled".
 
 **Win - OIB - Microsoft Store - U - Configuration**
@@ -95,7 +167,8 @@ Added separate compliance policies to allow for much better granularity and cont
 **Win - OIB - Windows User Experience - D - Feature Configuration**
 * Added "Disable Consumer Account State Content" setting configured to "Enabled"
 
-#### <u>Endpoint Security</u>
+
+### Endpoint Security
 **Win - OIB - Defender Antivirus - D - AV Configuration**
 * Removed deprecated "Allow Intrusion Prevention System" setting.
 
@@ -109,7 +182,7 @@ Added separate compliance policies to allow for much better granularity and cont
 * Changed the Password Complexity to the "Improved readability" version.
 
 
-### <u>Removed</u>
+## Removed
 **Win - OIB - Microsoft Edge - U - Experience and Extensions**
 * Removed in favour of separate Extensions and User Experience policies.
 
@@ -121,6 +194,6 @@ Added separate compliance policies to allow for much better granularity and cont
 
 ---
 
-## v3.0 and Earlier
+# v3.0 and Earlier
 
 I'm sorry, but for various reasons I didn't keep a changelog before this point. I'll try to keep one from now on. 
@@ -0,0 +1,7 @@
+# OIB MacOS
+
+## WIP. 
+If you would like to contribute, please let me know!
+
+In the meantime, visit the amazing Intune Mac Admins resource:
+https://www.intunemacadmins.com/
@@ -18,8 +18,11 @@
 </p>
 
 ---
-<sup>**IMPORTANT:-** This has been developed as a starting point or foundation and is not necessarily considered "complete". It is being made available to allow learning, development, and knowledge-sharing amongst communities.<br>
-No liability is assumed for the usage or application of the settings within this project in production tenants.</sup>
+
+> [!IMPORTANT]
+> This has been developed as a starting point or foundation and is not necessarily considered "complete". It is being made available to allow learning, development, and knowledge-sharing amongst communities.
+>
+> No liability is assumed for the usage or application of the settings within this project in production tenants.
 
 ---
 
@@ -52,9 +55,7 @@ I would always recommend maintaining GPO for on-prem devices, and using Intune f
 ## Baseline Security Posture
 Security frameworks tend to be seen as unmovable hard requirements rather than what they are, which is a set of **recommendations**. In fact, the CIS themselves preface their benchmarks with the following:
 
-> It is acceptable if 100% of the benchmark is not applied, as it is the responsibility and 
-decision of each organization to determine which settings are applicable to their unique 
-needs.
+> **It is acceptable if 100% of the benchmark is not applied, as it is the responsibility and decision of each organization to determine which settings are applicable to their unique needs.**
 
 It is impossible to create a true "one-size-fits-all" set of policies due to the massively differing nature of enterprise requirements. There is also a significant amount of "noise" in the security community, with many recommending settings that are not necessarily required or beneficial, such as enforcing default behaviour that a standard user cannot change, or settings that have been included in GPO baselines since the days of Windows 7. 
 This baseline is designed to be a starting point or guide, and all configurations applied to an environment regardless of source should be reviewed and adjusted to suit your own business requirements.
@@ -106,8 +107,6 @@ Almost all policies are Settings Catalog-backed and will show in Devices>Configu
 * Windows Hello for Business
 * Windows LAPS
 
-Guidance on settings can be found in the [Settings Guidance](/SETTINGSGUIDANCE.md) document.
-
 ## Limitations:
 Due to the wildly differing nature of environments, it is not possible to create a "baseline" for AppLocker or Windows Defender Application Control (WDAC). While the baseline ensures standard users cannot elevate to install applications, apps that do not require elevation or install to a user's AppData folder may not be blocked.
 
@@ -116,16 +115,21 @@ Due to the wildly differing nature of environments, it is not possible to create
 - **Windows Update for Business Reports** - With an appropriate Azure subscription, a Log Analytics Workspace can be created to monitor update compliance of devices. - [Additional information](https://learn.microsoft.com/en-us/windows/deployment/update/wufb-reports-overview) 
 - **M365 Apps Updates** - Enabling [Cloud Update](https://learn.microsoft.com/en-us/deployoffice/admincenter/cloud-update) through [config.office.com](https://config.office.com/officeSettings/serviceprofile) can ensure Office Apps for Business/Enterprise remain up-to-date on the Monthly Enterprise Channel. Settings in the "Office - Update Settings" policy can remain as Cloud Update takes priority over any other Office management. Ensure the [Inventory](https://config.office.com/officeSettings/inventory) is enabled.
 
+> [!NOTE]
+> Guidance on this can be found in the [Settings Guidance](/SETTINGSGUIDANCE.md) document.
+
 ---
 
 ## Importing the Baseline:
 The baseline was exported using the tool developed by Mikael Karlsson ([GitHub](https://github.com/Micke-K/IntuneManagement) and [Twitter](https://twitter.com/Micke_K_72)), and can be imported in the same way.
 Download or clone this repo, run the IntuneManagement tool and in the tool settings, change the "Root folder" under Import/Export to the appropriate folder of the baseline. Authenticate to a tenant with appropriate credentials, and use the Bulk>Import menu to import the whole baseline. Individual policy imports can be achieved using the "Import" option in the bottom right of the tool.
 
-You can choose to import as much or as little of the baseline as you wish, though you will need to change the "Root folder" to the appropriate folder for the policies you wish to import (e.g. Settings Catalog).
+You can choose to import as much or as little of the baseline as you wish, though you will need to change the "Root folder" to the appropriate folder for the platform (e.g. WINDOWS), or policy types (e.g. Settings Catalog) you wish to import.
 
 ## Post-Import Changes:
 As of v3.1 there are no post-import changes required as the IntuneManagement tool will automatically modify the Tenant GUIDs included in OneDrive policies based on the tenant.
 
 ## Additional Information:
-Please consult the [FAQ](/FAQ.md)
+
+> [!TIP]
+> For further information, please consult the [FAQ](/FAQ.md)
@@ -24,6 +24,10 @@ The following settings are what I would reccommend for a standard, flat organisa
 | Windows Autopatch - Ring3 	| Dynamic - 80% 	|        9 days       	|     1 day    	|      2 days      	|
 | Windows Autopatch - Last  	| Assigned      	|       13 days       	|    0 days    	|       1 day      	|
 
+I'm also unhappy with the lack of reporting on M365 Apps updates Autopatch currently provides, so would personally disable Autopatch doing M365 Apps and instead configure Cloud Update (previously Servicing Profiles) via the [Microsoft 365 Apps Admin Center](https://config.office.com/) which provides incredible reporting and rollback capabilities. You can create "waves" which can act like WUfB update rings, and align these to your existing Autopatch groups.
+
+Full information on Cloud update can be found here: [Overview of cloud update in the Microsoft 365 Apps admin center](https://learn.microsoft.com/en-us/microsoft-365-apps/admin-center/cloud-update)
+
 ### Windows Update for Business (WUfB) Rings
 
 The baseline utilises a 3-ring update model of Pilot, UAT & Production. This is designed to allow for a staged rollout of updates to ensure any issues are caught before they reach the majority of users.