windows-v3.4

[SkipToTheEndpoint]

Windows v3.4 - 2025-01-24

Important

A UI change in November '24 has made all policy types visible in the Configuration blade. This has caused a lot of confusion when trying to identify policies configured via Endpoint Security.
By "popular" demand, ALL policies have been renamed to add the policy type into the naming convention which will assist with identifying if the policy actually exists elsewhere:

SC - Settings Catalog

ES - Endpoint Security

TP - Template

To save even more confusion, I've not bumped everything up a whole version because nothing has changed beyond the name, with the exception of the Defender Antivirus Update Rings, which I've had to add version numbers.

I realise the impact to those with existing versions of the OIB deployed will now be in a situation where you either have to rename all your other policies to match, or rename new ones you import.
Sorry :(

Added

Settings Catalog

Win - OIB - SC - Device Security - D - Script File Associations - v3.4

• Added a Default File Associations policy to make the following file types open in notepad by default:
  appx, bat, cab, com, cmd, hta, js, jse, ps1, s1m, sct, shb, shs, wsf, wsh, vbe, vbs
  • Inspired by this blog and adapted to use in Intune by taking the file association XML and converting to Base64.

Warning

Deploying will break running any PowerShell scripts from Intune in the User context. Amend policy if this functionality is required.
Win - OIB - SC - Device Security - U - Windows Sandbox - v3.4

• Added new available settings to restrict the Windows Sandbox feature.
  I've gone back and forth on this one as there are no security recommendations for Sandbox, though have taken the following into consideration:

  • You have to be an Administrator to enable the feature
  • Sandbox has legitimate and helpful use-cases for IT Admins such as testing installs or via things like Run In Sandbox
  • The risk of data exfiltration from the host via the Sandbox is entirely dependent on network connectivity.

  Therefore, the configuration applied allows the use of copy and paste/clipboard redirection into the sandbox, but all other settings, including networking are not allowed.

  I feel this is a meaningful middleground between making the feature worthless to those who may have a valid use-case.

Endpoint Security

Win - OIB - ES - Encryption - U - Personal Data Encryption - v3.4

• Added in Intune 2409, PDE utilises the user's Windows Hello for Business credentials as a separate encryption key to secure data within OneDrive Known Folders (Documents, Desktop, Pictures)
  As Intune doesn't provide a native way of doing pre-boot BitLocker PIN's, in my opinion, PDE is the bridging gap to ensuring important data is properly encrypted in cases of device theft (which is already an edge case).

Important

Please do the necessary reading on what PDE is and the prerequisites and licensing required, and the MS FAQ before deploying this policy.

Template

Win - OIB - TP - Health Monitoring - D - Endpoint Analytics - v3.4

• New version of the Health Monitoring template that now only enables Endpoint Analytics.
  Windows Update data needs to be separately enabled via Tenant Admin > Connectors and Tokens > Windows Data
  https://learn.microsoft.com/en-gb/mem/intune/protect/data-enable-windows-data

Changed/Updated

Settings Catalog

Win - OIB - SC - Defender Antivirus - D - Additional Configuration

• Added "Enable File Hash Computation" set to Enable to improve reliability of MDE's IOC detection.
  Recommendation taken from Ru Campbell's video, "Why Your Defender for Endpoint Setup Isn’t Working".

Win - OIB - SC - Device Security - D - Security Hardening

• Added the following settings to close some non-impactful gaps against the CIS Benchmark:

  Administrative Templates > Network > Windows Connection Manager

  • Minimize the number of simultaneous connections to the Internet or a Windows Domain - Enabled: 3 = Prevent Wi-Fi when on Ethernet

  Administrative Templates > Printers

  • Limits print driver installation to Administrators - Enabled
  • Point and Print Restrictions - Enabled
    • Users can only point and print to these servers - True
    • When installing drivers for a new connection - Show warning and elevation prompt
    • When updating drivers for an existing connection - Show warning and elevation prompt
  • Allow Print Spooler to accept client connections - Disabled

  Wireless Display

  • Allow Projection from PC - Your PC can discover and project to other devices.
  • Allow Projection to PC - Projection to PC is not allowed. Always off and the user cannot enable it.
  • Require PIN for Pairing - Pairing ceremony for new devices will always require a PIN.

Win - OIB - SC - Device Security - D - Timezone

• Changed the User Rights settings to match the defaults of LOCAL SERVICE (S-1-5-19), Administrators (S-1-5-32-544) and Users (S-1-5-32-545). Fixes #66

  Thanks for everyone's input in Discussion #49!

Important

Despite this change, there is a current MS-recognised issue in 24H2 where the Time Zone settings are missing to standard users: https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-24h2#date---time-in-window-settings-might-not-permit-users-to-change-time-zone
Win - OIB - SC - Device Security - D - User Rights

• Removed the following User Rights settings that were all configured to (<![CDATA[...]]>):

  • "Access Credential Manager as a trusted caller"
  • "Act as part of the operating system"
  • "Create a token object"
  • "Create permanent shared objects"
  • "Enable computer and user accounts to be trusted for delegation"
  • "Lock pages in memory"
  • "Modify an object label"

  All of the above are empty by default on Windows, and it's difficult to tell whether the policy is just silently erroring (as the use of (<![CDATA[...]]>) is only valid when using Custom OMA-URI as per the docs) but remaining empty because that's default.
  Either way, it's an enforcement of defaults, and with the difficulty of verifying the policy even works correctly, I'm removing the offending settings until a better solution presents itself.

• Added *S-1-2-0 to "Deny Remote Desktop Services Log On" to match the CIS recommendation.

• Fixed missing asterisk on S-1-5-6 of "Create Global Objects". Fixes #64

Win - OIB - SC - Microsoft Edge - D - Security

• Added "Configure Edge TyposquattingChecker" set to Enabled.
• Added "Allow websites to query for available payment methods" set to Disabled.
• Replaced superseded "Allow Download Restrictions" setting with newer version. Maintained the value of 1 (BlockDangerousDownloads).
• Removed "Show Hubs Sidebar" setting as it was duplicated in the User Experience policy.

Win - OIB - SC - Microsoft Edge - D - User Experience

• Added "Enable CryptoWallet feature (User)" set to Disabled
• Added "Shopping in Microsoft Edge Enabled (User)" set to Disabled
• Removed "Show Hubs Sidebar (User)" and "Search in Sidebar enabled (User)" as there must have been a change that now causes them to block the use of the Copilot button.
  • Thanks to Lewis for reporting and testing the fix to this!

Win - OIB - SC - Microsoft Store - D - Configuration

• Added setting "Block Non Admin User Install" set to "Block".

Win - OIB - SC - Microsoft Store - D - Configuration

• Added setting "Block Non Admin User Install" set to "Block".

Endpoint Security

Win - OIB - ES - Defender Antivirus Updates - Ring *

• All policies have been given the 3.4 version number. No actual policy changes have been made.

Deprecated

Settings Catalog

Google Chrome

Maintaining a level of parity between Edge and Chrome is difficult, and the OIB Chrome policies were (on purpose) very "Anti Chrome".
My focus will be to ensure the best set of policies for Edge moving forward, and dropping the Chrome policies.

It is my opinion that Edge should be the primary and only browser available in an enterprise environment, and continued efforts by Microsoft to improve the security and managability of Edge for Business backs this up.
My recommendation is to use the Edge Management Service to "Block other Browsers" which creates and deploys an AppLocker policy to b

Removed

Settings Catalog

Win - OIB - Network - D - BITS Configuration

• Provided no value and most things don't even use BITS.

Template

Win - OIB - Health Monitoring - D - Endpoint Analytics and Windows Updates - v3.0

• Recreated with updated settings.

---

This discussion was created from the release windows-v3.4.

[0xAnalyst]

can we adjust Win - OIB - SC - Device Security - D - Script File Associations - v3.4 to enclude some other file extensions. here is my list

<?xml version="1.0" encoding="UTF-8"?>
<DefaultAssociations>
 <Association Identifier=".appx" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".bat" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".cab" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".chm" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".cmd" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".com" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".diff" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".hta" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".iqy" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".iso" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".js" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".jse" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".msc" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".prn" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".ps1" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".ps1m" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".rdg" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".scr" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".sct" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".shb" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".shs" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".slk" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".url" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".vbe" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".vbs" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".wcx" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".ws" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".wsc" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".wsf" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
 <Association Identifier=".wsh" ProgId="Applications\notepad.exe" ApplicationName="Notepad" />
</DefaultAssociations>