SkipToTheEndpoint
diff --git a/‎.gitignore‎
Lines changed: 1 addition & 0 deletions b/‎.gitignore‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎README.md‎
Lines changed: 18 additions & 5 deletions b/‎README.md‎
Lines changed: 18 additions & 5 deletions
diff --git a/‎WINDOWS/CHANGELOG.md‎
Lines changed: 142 additions & 0 deletions b/‎WINDOWS/CHANGELOG.md‎
Lines changed: 142 additions & 0 deletions
@@ -0,0 +1 @@
+.vscode/*
@@ -1,11 +1,16 @@
 # OpenIntuneBaseline
 
 <p align="center">
-  <a href="https://twitter.com/SkipToEndpoint">
-    <img alt="Twitter Follow" src="https://img.shields.io/twitter/follow/SkipToEndpoint?label=Follow%20%40SkipToEndpoint&logo=Twitter&style=flat-square" target="_blank" />
+  <a href="https://x.com/SkipToEndpoint">
+    <img alt="X (formerly Twitter) Follow" src="https://img.shields.io/twitter/follow/SkipToEndpoint?style=social&label=Follow%20on%20X" target="_blank" />
   </a>
+   | 
+  <a href="https://bsky.app/profile/skiptotheendpoint.co.uk">
+    <img alt="BlueSky URL" src="https://img.shields.io/badge/dynamic/json?url=https%3A%2F%2Fpublic.api.bsky.app%2Fxrpc%2Fapp.bsky.actor.getProfile%2F%3Factor%3Dskiptotheendpoint.co.uk&query=%24.followersCount&style=social&logo=bluesky&label=Follow%20on%20BSky" target="_blank" />
+  </a>
+   | 
   <a href="https://skiptotheendpoint.co.uk">
-    <img alt="Twitter Follow" src="https://img.shields.io/badge/Read%20my%20blog-grey?style=flat-square&logo=ghost" target="_blank" />
+    <img alt="Blog" src="https://img.shields.io/badge/Read%20My%20Blog-grey?style=flat-square&logo=ghost" target="_blank" />
   </a>
 </p>
 <p align="center">
@@ -26,8 +31,16 @@
 
 ---
 
-## Project History
-The OpenIntuneBaseline (OIB) project was started as a way to provide a "known good" baseline security posture for Windows devices managed by Microsoft Intune.
+## About the Author
+James is a Technical Architect and Microsoft MVP in both Intune and Windows, and has been working in the IT industry for over 20 years, with the last 8 being primarily within Intune. He is also a recognised contributor to the CIS Windows Benchmarks.
+He has a wealth of experience across the Microsoft 365 stack, with a focus on security and compliance, and is a regular attendee and speaker at community events such as [MMS](https://mmsmoa.com/) and [Workplace Ninja Summit](https://www.wpninjas.ch/events/), and is passionate about sharing knowledge and helping others.
+
+---
+
+## About the Project
+
+### Project History
+The OpenIntuneBaseline (OIB) project was started in early 2021 as a way to provide a "known good" baseline security posture for Windows devices managed by Microsoft Intune, after being disappointed with the admin and user experience of other available baselines.
 
 ### Security Framework Adherence
 When creating the initial Windows baseline, substantial data analysis was carried out over well-known security frameworks, such as:
 
@@ -1,5 +1,147 @@
 # OIB Windows Change Log
 
+# Windows v3.4 - 2025-01-24
+> [!IMPORTANT]
+> A UI change in November '24 has made _**all**_ policy types visible in the Configuration blade. This has caused a lot of confusion when trying to identify policies configured via Endpoint Security.
+> [By "popular" demand](https://x.com/SkipToEndpoint/status/1863535554714865747), ALL policies have been renamed to add the policy type into the naming convention which will assist with identifying if the policy actually exists elsewhere:
+> 
+> **SC** - Settings Catalog<br>
+> **ES** - Endpoint Security<br>
+> **TP** - Template<br>
+>
+> To save even more confusion, I've not bumped everything up a whole version because nothing has changed beyond the name, with the exception of the Defender Antivirus Update Rings, which I've had to add version numbers.
+> 
+> I realise the impact to those with existing versions of the OIB deployed will now be in a situation where you either have to rename all your other policies to match, or rename new ones you import.
+> Sorry :(
+
+## Added
+### Settings Catalog
+**Win - OIB - SC - Device Security - D - Script File Associations - v3.4**
+* Added a Default File Associations policy to make the following file types open in notepad by default:
+    appx, bat, cab, com, cmd, hta, js, jse, ps1, s1m, sct, shb, shs, wsf, wsh, vbe, vbs
+    * Inspired by [this blog](https://kostas-ts.medium.com/my-favourite-security-focused-gpo-stopping-script-execution-with-file-associations-59a05b6d181e) and adapted to use in Intune by taking the file association XML and converting to Base64.
+> [!WARNING]
+> Deploying will break running any PowerShell scripts from Intune in the User context. Amend policy if this functionality is required.
+
+**Win - OIB - SC - Device Security - U - Windows Sandbox - v3.4**
+* Added new available settings to restrict the [Windows Sandbox](https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview) feature.
+I've gone back and forth on this one as there are no security recommendations for Sandbox, though have taken the following into consideration:
+    * You have to be an Administrator to enable the feature
+    * Sandbox has legitimate and helpful use-cases for IT Admins such as testing installs or via things like [Run In Sandbox](https://github.com/damienvanrobaeys/Run-in-Sandbox)
+    * The risk of data exfiltration from the host via the Sandbox is entirely dependent on network connectivity.
+
+    Therefore, the configuration applied **allows** the use of copy and paste/clipboard redirection into the sandbox, but all other settings, including networking are **not allowed**.
+
+    I feel this is a meaningful middleground between making the feature worthless to those who may have a valid use-case.
+
+### Endpoint Security
+**Win - OIB - ES - Encryption - U - Personal Data Encryption - v3.4**
+* Added in [Intune 2409](https://skiptotheendpoint.co.uk/settings-rundown/intune-settings-rundown-2409/#personal-data-encryption-pde), PDE utilises the user's Windows Hello for Business credentials as a separate encryption key to secure data within OneDrive Known Folders (Documents, Desktop, Pictures)
+    As Intune doesn't provide a native way of doing pre-boot BitLocker PIN's, _in my opinion_, PDE is the bridging gap to ensuring important data is properly encrypted in cases of device theft (which is already an edge case).
+> [!IMPORTANT]
+> **_Please_** do the necessary reading on [what PDE is and the prerequisites and licensing required](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/personal-data-encryption), and the [MS FAQ](https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/personal-data-encryption/faq) before deploying this policy.
+
+### Template
+**Win - OIB - TP - Health Monitoring - D - Endpoint Analytics - v3.4**
+* New version of the Health Monitoring template that now only enables Endpoint Analytics. 
+    Windows Update data needs to be separately enabled via Tenant Admin > Connectors and Tokens > Windows Data
+    https://learn.microsoft.com/en-gb/mem/intune/protect/data-enable-windows-data
+
+
+## Changed/Updated
+### Settings Catalog
+**Win - OIB - SC - Defender Antivirus - D - Additional Configuration**
+* Added ["Enable File Hash Computation"](https://learn.microsoft.com/en-gb/windows/client-management/mdm/defender-csp?WT.mc_id=Portal-fx#configurationenablefilehashcomputation) set to `Enable` to improve reliability of MDE's IOC detection.
+    Recommendation taken from [Ru Campbell](https://x.com/rucam365)'s video, ["Why Your Defender for Endpoint Setup Isn’t Working"](https://www.youtube.com/watch?v=PBy1dxoqakY).
+
+**Win - OIB - SC - Device Security - D - Security Hardening**
+* Added the following settings to close some non-impactful gaps against the CIS Benchmark:
+
+    **Administrative Templates > Network > Windows Connection Manager**
+    * Minimize the number of simultaneous connections to the Internet or a Windows Domain - `Enabled: 3 = Prevent Wi-Fi when on Ethernet`
+    
+    **Administrative Templates > Printers**
+    * Limits print driver installation to Administrators - `Enabled`
+    * Point and Print Restrictions - `Enabled`
+        * Users can only point and print to these servers - `True`
+        * When installing drivers for a new connection - `Show warning and elevation prompt`
+        * When updating drivers for an existing connection - `Show warning and elevation prompt`
+    * Allow Print Spooler to accept client connections - `Disabled`
+    
+    **Wireless Display**
+    * Allow Projection from PC - Your PC can discover and project to other devices.
+    * Allow Projection to PC - Projection to PC is not allowed. Always off and the user cannot enable it.
+    * Require PIN for Pairing - Pairing ceremony for new devices will always require a PIN.
+
+**Win - OIB - SC - Device Security - D - Timezone**
+* Changed the User Rights settings to match the defaults of LOCAL SERVICE (`S-1-5-19`), Administrators (`S-1-5-32-544`) and Users (`S-1-5-32-545`). Fixes [#66](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/issues/66)
+
+    Thanks for everyone's input in [Discussion #49](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/discussions/49)!
+> [!IMPORTANT]
+> Despite this change, there is a current MS-recognised issue in 24H2 where the Time Zone settings are missing to standard users: https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-24h2#date---time-in-window-settings-might-not-permit-users-to-change-time-zone
+
+**Win - OIB - SC - Device Security - D - User Rights**
+* Removed the following User Rights settings that were all configured to `(<![CDATA[...]]>)`:
+    * "Access Credential Manager as a trusted caller"
+    * "Act as part of the operating system"
+    * "Create a token object"
+    * "Create permanent shared objects"
+    * "Enable computer and user accounts to be trusted for delegation"
+    * "Lock pages in memory"
+    * "Modify an object label"
+
+    All of the above are empty by default on Windows, and it's difficult to tell whether the policy is just silently erroring (as the use of `(<![CDATA[...]]>)` is only valid when using Custom OMA-URI [as per the docs](https://learn.microsoft.com/en-gb/windows/client-management/mdm/policy-csp-userrights#general-example)) but remaining empty because that's default.
+    Either way, it's an enforcement of defaults, and with the difficulty of verifying the policy even works correctly, I'm removing the offending settings until a better solution presents itself.
+
+* Added `*S-1-2-0` to "Deny Remote Desktop Services Log On" to match the CIS recommendation.
+
+* Fixed missing asterisk on `S-1-5-6` of "Create Global Objects". Fixes [#64](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/issues/64)
+
+**Win - OIB - SC - Microsoft Edge - D - Security**
+* Added "Configure Edge TyposquattingChecker" set to `Enabled`.
+* Added "Allow websites to query for available payment methods" set to `Disabled`.
+* Replaced superseded "Allow Download Restrictions" setting with newer version. Maintained the value of `1` (BlockDangerousDownloads).
+* Removed "Show Hubs Sidebar" setting as it was duplicated in the User Experience policy.
+
+**Win - OIB - SC - Microsoft Edge - D - User Experience**
+* Added "Enable CryptoWallet feature (User)" set to `Disabled`
+* Added "Shopping in Microsoft Edge Enabled (User)" set to `Disabled`
+* Removed "Show Hubs Sidebar (User)" and "Search in Sidebar enabled (User)" as there must have been a change that now causes them to block the use of the Copilot button.
+    * Thanks to [Lewis](https://conditionalaccess.uk/) for reporting and testing the fix to this!
+
+**Win - OIB - SC - Microsoft Store - D - Configuration**
+* Added setting "Block Non Admin User Install" set to "Block".
+
+**Win - OIB - SC - Microsoft Store - D - Configuration**
+* Added setting "Block Non Admin User Install" set to "Block".
+
+## Endpoint Security
+**Win - OIB - ES - Defender Antivirus Updates - Ring `*`**
+* All policies have been given the 3.4 version number. No actual policy changes have been made.
+
+
+## Deprecated
+## Settings Catalog
+**Google Chrome**
+
+Maintaining a level of parity between Edge and Chrome is difficult, and the OIB Chrome policies were (on purpose) very "Anti Chrome".
+My focus will be to ensure the best set of policies for Edge moving forward, and dropping the Chrome policies.
+
+It is my opinion that Edge should be the primary and only browser available in an enterprise environment, and continued efforts by Microsoft to improve the security and managability of Edge for Business backs this up.
+My recommendation is to use the [Edge Management Service to "Block other Browsers"](https://learn.microsoft.com/en-us/deployedge/microsoft-edge-management-service-customizations#block-other-browsers) which creates and deploys an AppLocker policy to b 
+
+
+## Removed
+### Settings Catalog
+**Win - OIB - Network - D - BITS Configuration**
+* Provided no value and most things don't even use BITS.
+
+### Template
+**Win - OIB - Health Monitoring - D - Endpoint Analytics and Windows Updates - v3.0**
+* Recreated with updated settings.
+
+---
+
 # Windows v3.3 - 2024-09-02
 ## Added
 ### Endpoint Security