15 Oct 11:40

SkipToTheEndpoint

cabedb9

windows-v3.7 Latest

Latest

Windows v3.7 - 2025-10-15 - 25H2 Edition

Added 🆕

Settings Catalog

🆕Win - OIB - SC - Device Security - D - Administrator Protection - v3.7

Added configuration to enable the new Administrator Protection feature:
- User Account Control Behavior Of The Elevation Prompt For Administrator Protection - Prompt for credentials on the secure desktop
- User Account Control Type Of Admin Approval Mode - Admin Approval Mode with Administrator protection

Important

As of writing this, the feature is still flagged as Windows Insider only, but I'm hoping it will be enabled soon and I didn't want that to happen mid-way through a release cycle :)

🆕Win - OIB - SC - Device Security - D - Printing - v3.7

The following settings have been moved out of the Security Hardening profile into their own profile to make them easier to find and manage:
- Allow Print Spooler to accept client connections - Disabled
- Point and Print Restrictions - Enabled
  - Users can only point and print to machines in their forest: (Device) - False
  - Users can only point and print to these servers: (Device) - True
  - When installing drivers for a new connection: (Device) - Show warning and elevation prompt
  - When updating drivers for an existing connection: (Device)- Show warning and elevation prompt
- Limits print driver installation to Administrators - Enabled
The following settings have been added to match the Microsoft Security Baseline and CIS Intune Benchmark:
- Allow Print Spooler to accept client connections - Disabled
- Configure Redirection Guard - Enabled
  - Redirection Guard Options: (Device) - Redirection Guard Enabled
- Configure RPC connection settings
  - Protocol to use for outgoing RPC connections: (Device) - RPC over TCP
  - Use authentication for outgoing RPC connections: (Device) - Default
- Configure RPC listener settings - Enabled
  - Authentication protocol to use for incoming RPC connections: (Device) - Negotiate
  - Protocols to allow for incoming RPC connections: (Device) - RPC over TCP
- Configure RPC over TCP port - Enabled
  - RPC over TCP port: (Device) - 0

🆕Win - OIB - SC - Windows User Experience - D - Settings Sync - v3.7

Added configuration to support new Windows Backup for Organizations (WBfO) feature with some minor restrictions.
- Enable Windows Backup - Enabled
- Do not sync passwords - Enabled
  - Allow users to turn "passwords" syncing on. (Device) - False
- Enable Windows Restore - Enabled

Note

This feature needs enabling by navigating to: Devices > Windows > Enrollment > Windows Backup and Restore.
For more information, see Windows Backup and Restore - Microsoft Intune | Microsoft Learn

Endpoint Security

🆕Win - OIB - ES - Local Group Membership - D - Local Administrators - v3.7

New profile to manage local group membership of the built-in Administrators group, replacing any existing members and only allowing the WLapsAdmin account.
- Local Group - Administrators
- Group and User Action - Replace
- User selection type - Manual
- Selected user(s) - WLapsAdmin

Note

Autopilot is not a security boundary, and blocking launching a command prompt from within OOBE can negatively impact the troubleshooting capabilities of IT Admins. This means that a savvy or malicious user can create an additional Admin account prior to running through Autopilot. To combat this, it's good practice to ensure that only accounts you explicitly want in the local Administrators group are present.

Changed/Updated 🔄️

Settings Catalog

🔄️Win - OIB - ES - Attack Surface Reduction - D - ASR Rules (L2)

Changed "Block use of copied or impersonated system tools" from Audit to Block
Changed "Block Office applications from injecting code into other processes" from Audit to Block
Changed "Block credential stealing from the Windows local security authority subsystem" from Audit to Block

🔄️Win - OIB - ES - Encryption - D - BitLocker (OS Disk)

Updated the following setting to align with CIS recommendations. Resolves #80:
- Choose how BitLocker-protected operating system drives can be recovered - Do not allow 256-bit recovery key

🔄️Win - OIB - SC - Device Security - D - Audit and Event Logging

Added the following setting from the 25H2 Security Baseline:
- Include command line in process creation events - Enabled

🔄️Win - OIB - SC - Device Security - D - Security Hardening

Added the following new setting from the 25H2 Security Baseline:
- Disable Internet Explorer 11 as a standalone browser - Enabled
  - Notify that Internet Explorer 11 browser is disabled - Never
Added the following Smart Screen-related setting from the CIS Intune Benchmark:
- Enable Smart Screen In Shell - Enabled
- Prevent Override For Files In Shell - Enabled
Removed the following settings as they have been marked as obsolete and have also been removed from the 25H2 Security Baseline:
- WDigest Authentication
The following settings have been removed from this profile and are now found in the new Win - OIB - SC - Device Security - D - Printing - v3.7 profile:
- Allow Print Spooler to accept client connections - Disabled
- Point and Print Restrictions - Enabled
  - Users can only point and print to these servers - True
  - When installing drivers for a new connection - Show warning and elevation prompt
  - When updating drivers for an existing connection - Show warning and elevation prompt
- Limits print driver installation to Administrators - Enabled

🔄️Win - OIB - SC - Device Security - D - User Rights

Added the following entry to align with OS defaults and recommendations from the 25H2 Security Baseline:
- Impersonate client - S-1-5-99-216390572-1995538116-3857911515-2404958512-2623887229

Note

This is the SID for the "RESTRICTED SERVICES\PrintSpoolerService" account. Huge thanks to @ajf8729 for managing to decipher this as Microsoft didn't want to document or localise it!

Added the following settings from v4.0.0 of the CIS Intune Benchmark:
- Deny Log On As Batch Job - *S-1-5-32-546
- Deny Log On As Service - *S-1-5-32-546
- Shut Down The System - *S-1-5-32-544,*S-1-5-32-545
Changed the following settings to align with v4.0.0 of the CIS Intune Benchmark:
- Deny Access From Network - *S-1-5-113,*S-1-5-32-546
- Deny Remote Desktop Services Log On - *S-1-5-113,*S-1-5-32-546
Updating the following setting to resolve #91:
- Increase Scheduling Priority - *S-1-5-32-544, *S-1-5-90-0

🔄️Win - OIB - SC - Device Security - U - Device Guard, Credential Guard and HVCI

Changed the following settings from "Without UEFI Lock" to "With UEFI Lock". This now matches both MS and CIS recommendations:
- Credential Guard
- Configure Lsa Protected Process
- Hypervisor Enforced Code Integrity

Important

There are some implications if you need to disable these settings, however overall this change provides a better security posture.

🔄️Win - OIB - SC - Microsoft Edge - D - Security

Removed the following settings as they have been marked as obsolete. Resolves #101:
- Allow the Search bar at Windows startup (obsolete)
- Minimum TLS version enabled (obsolete)
- Specifies whether to allow websites to make requests to any network endpoint in an insecure manner (obsolete)

🔄️Win - OIB - SC - Microsoft Edge - U - User Experience

Removed the following settings as they have been marked as obsolete. Resolves #101:
- Configure the Microsoft Edge new tab page experience (obsolete)
- Enable CryptoWallet feature (obsolete)

Removed 🚮

🚮Win - OIB - SC - Windows Update for Business - D - Restart Warnings - v3.1

At some point, Microsoft seems to have changed the documentation for these policies to now state that they are only applicable to Windows 10, and not Windows 11 (example).
I have raised this with the Product Group to get clarification as this feels like a negative regression in functionality, but for now, I've removed the profile.

🚮Win - OIB - SC - Google Chrome - D - Security - v3.0 (Deprecated)

🚮Win - OIB - SC - Google Chrome - U - Experience and Extensions - v3.0 (Deprecated)

🚮Win - OIB - SC - Google Chrome - U - Profiles, Sign-In and Sync - v3.0 (Deprecated)

After deprecating them in v3.4, I've now removed the Google Chrome profiles from the repo completely.

Contributors

ajf8729

Assets 2

0 Join discussion

13 May 11:26

SkipToTheEndpoint

windows-v3.6

7038114

windows-v3.6

Windows v3.6 - 2025-05-13 - Post-MMS Edition

Added

Settings Catalog

Win - OIB - SC - Microsoft Office - D - Device Security - v3.6
Win - OIB - SC - Microsoft Office - U - User Security - v3.6
By popular demand, I've added a new set of policies to help secure Microsoft Office on Windows devices. These policies are based on the most recent Microsoft 365 Apps Security Baseline v2412 and are designed to enhance the security posture of Office applications.

I have split the policies into two separate profiles: one for Device Security and one for User Security. This allows for more granular control over the security settings applied to Office applications if required.

Important

These policies are only applicable to Microsoft 365 Apps for Enterprise (included with M365 E*/A*/F*), not Microsoft 365 Apps for Business (included with M365 Business Premium).
This behaviour is documented here

Warning

The M365 Apps Security Baseline disables a number of features that may impact user experience, such the use macros, add-ins. Please review the settings and test in a controlled environment before deploying widely!

Win - OIB - SC - Device Security - D - Local Security Policies (24H2+) - v3.6

Exact duplicate of the existing Local Security Policies profile with one difference to support the new LAPS settings while maintaining a good security posture.
- Accounts Enable Administrator Account Status - Disable

Endpoint Security

Win - OIB - ES - Windows LAPS - D - LAPS Configuration (24H2+) - v3.6

Added the following settings to benefit from the new 24H2 LAPS configuration:
- Backup Directory - Backup the password to Azure AD only
- Password Age (Days) - 7
- Password Complexity - Passphrase (short words with unique prefixes)
  - Passphrase Length - 4
- Password Length - 21
- Post-Authentication Actions - Reset the password, logoff the managed account, and terminate any remaining processes
- Post-Authentication Reset Delay (Hours) - 1
- Automatic Account Management Enabled - The target account will be automatically managed
  - Automatic Account Management Enable Account - The target account will be automatically managed
  - Automatic Account Management Randomize Name - The name of the target account will not use a random numeric suffix
  - Automatic Account Management Target - Manage a new custom administrator account

Changed/Updated

Settings Catalog

Win - OIB - SC - Defender Antivirus - D - Additional Configuration

Added newly added setting from the 24H2 Security Baseline:
- Enable Dynamic Signature Dropped Event Reporting - Dynamic Security intelligence update events will be reported.

Win - OIB - SC - Device Security - D - Security Hardening

Added additional settings now available from the 24H2 Security Baseline:

Lanman Server
- Audit Client Does Not Support Encryption - Enabled
- Audit Client Does Not Support Signing - Enabled
- Audit Insecure Guest Logon - Enabled
- Auth Rate Limiter Delay In Ms - 2000
- Enable Auth Rate Limiter - Enabled
- Enable Mailslots - Disabled
- Min Smb2 Dialect - SMB 3.0.0
- Max Smb2 Dialect - SMB 3.1.1
Lanman Workstation
- Audit Server Does Not Support Encryption - Enabled
- Audit Server Does Not Support Signing - Enabled
- Audit Insecure Guest Logon - Enabled
- Enable Mailslots - Disabled
- Min Smb2 Dialect - SMB 3.0.0
- Max Smb2 Dialect - SMB 3.1.1
- Require Encryption - Disabled

Win - OIB - SC - Device Security - U - Power and Device Lock

Removed following settings as they have been removed from the CIS recommendations:
- Allow standby states (S1-S3) when sleeping (on battery)
- Allow standby states (S1-S3) when sleeping (plugged in)
- Allow Hibernate
- Require use of fast startup

Win - OIB - SC - Microsoft Edge - D - Security

Added the following settings from the Microsoft Edge baseline and CIS Edge Benchmark:
- Allow download restrictions - Block Malicious Downloads (Reduced from "Block malicious downloads and dangerous file types")
- Automatically open downloaded MHT or MHTML files from the web in Internet Explorer mode - Disabled
- Dynamic Code Settings - Enabled
  *Dynamic Code Settings (Device) - Default Dynamic Code Settings
- Enable Application Bound Encryption - Enabled
- Enable browser legacy extension point blocking - Enabled
- Enable site isolation for every site - Enabled
- Enhance the security state in Microsoft Edge - Enabled
  - Enhance the security state in Microsoft Edge (Device) - Balanced Mode
- Show the Reload in Internet Explorer mode button in the toolbar - Disabled
- Specifies whether to allow insecure websites to make requests to more-private network endpoints - Disabled
Added the following setting to turn on the new Scareware Protection feature.
- Configure Edge Scareware Blocker Protection - Enabled

Win - OIB - SC - Microsoft Edge - D - Updates

Added "Set the time period for update notifications" configured to 259200000 which is the time in milliseconds (72 hours) before Edge forces a restart to apply a pending update.

Win - OIB - SC - Microsoft Edge - U - User Experience

Removed "Enable full-tab promotional content" as it was deprecated.
Added "Enable Gamer Mode" set to Disabled

Win - OIB - SC - Microsoft Office - U - Config and Experience

Removed deprecated version of "Allow users to receive and respond to in-product surveys from Microsoft".

Win - OIB - SC - Windows User Experience - U - Copilot

Changed "Turn Off Copilot in Windows" from "Enable Copilot" to "Disable Copilot".

Note

This only impacts the old experience. I recommend also deploying the "Microsoft Copilot" app (9NHT9RB2F4HD) as a required uninstall.
https://learn.microsoft.com/en-gb/windows/client-management/manage-windows-copilot#policy-information-for-previous-copilot-in-windows-preview-experience

Assets 2

7 Join discussion

20 Feb 11:30

SkipToTheEndpoint

windows-v3.5

193226e

windows-v3.5

Windows v3.5 - 2025-02-20 - 24H2 Baseline Edition (Mostly)

Added

Settings Catalog

Win - OIB - SC - Device Security - D - Windows Package Manager - v3.5

Added configuration that will be being added to the CIS Benchmark, as well as some additional, non-impacting restrictions to the Desktop App Installer (winget):
- Enable App Installer Experimental Features - Disabled
- Enable App Installer Hash Override - Disabled
- Enable App Installer Local Manifest Files - Disabled
- Enable App Installer ms-appinstaller protocol - Disabled
- Enable App Installer Settings - Disabled

Note

If you disable the App Installer completely by setting either "Enable App Installer" or "Enable App Installer Microsoft Store Source" to "Disabled", it will break delivery of Store apps from Intune!
So don't do that :)

Changed/Updated

Settings Catalog

Win - OIB - SC - Defender Antivirus - D - Additional Configuration

Added the following settings from the 24H2 Baseline:
- Enable Convert Warn To Block - Warn verdicts are converted to block
- Passive Remediation - 1: Passive Remediation Sense AutoRemediation
- Quick Scan Include Exclusions - 1: All files and directories that are excluded from real-time protection using contextual exclusions are scanned during a quick scan.

Win - OIB - SC - Device Security - D - Security Hardening

Added the following settings from the 24H2 Baseline:
- PK Init Hash Algorithm Configuration - Enabled
  - PK Init Hash Algorithm SHA1 - Not Supported
- Enable Sudo - Sudo is disabled

Win - OIB - SC - Device Security - D - User Rights

Removed S-1-2-0 (Local) from "Deny Remote Desktop Services Log On" as this breaks Windows 365 access. Resolves #69

Win - OIB - SC - Device Security - U - Device Guard, Credential Guard and HVCI

Added the following setting from the 24H2 Baseline:
- Machine Identity Isolation - 0: (Disabled) Machine password is only LSASS-bound and stored in $MACHINE.ACC registry key.

Win - OIB - SC - Microsoft Office - U - Config and Experience

Added a recently added setting to make files clicked in Teams open in the desktop apps rather than in SPO:
- File links open preference default selection as Desktop App (User) - Enabled
Added a setting to remove some options from the save locations available. The tooltip is confusing but 137 restricts OneDrive Personal, SharePoint OnPrem and (most importantly) Third-party Services (e.g Box, Dropbox, Egnyte, ShareFile) from the "Add a place" in the Save As menu.
- Hide Microsoft cloud-based file locations in the Backstage view (User) - 137

Win - OIB - SC - Windows Hello for Business - D - Cloud Kerberos Trust - v3.5

Added "Cloud Kerberos Ticket Retrieval Enabled" set to Enabled.

Assets 2

0 Join discussion

24 Jan 14:49

SkipToTheEndpoint

windows-v3.4

2a91481

windows-v3.4

Windows v3.4 - 2025-01-24

Important

A UI change in November '24 has made all policy types visible in the Configuration blade. This has caused a lot of confusion when trying to identify policies configured via Endpoint Security.
By "popular" demand, ALL policies have been renamed to add the policy type into the naming convention which will assist with identifying if the policy actually exists elsewhere:

SC - Settings Catalog

ES - Endpoint Security

TP - Template

To save even more confusion, I've not bumped everything up a whole version because nothing has changed beyond the name, with the exception of the Defender Antivirus Update Rings, which I've had to add version numbers.

I realise the impact to those with existing versions of the OIB deployed will now be in a situation where you either have to rename all your other policies to match, or rename new ones you import.
Sorry :(

Added

Settings Catalog

Win - OIB - SC - Device Security - D - Script File Associations - v3.4

Added a Default File Associations policy to make the following file types open in notepad by default:
appx, bat, cab, com, cmd, hta, js, jse, ps1, s1m, sct, shb, shs, wsf, wsh, vbe, vbs
- Inspired by this blog and adapted to use in Intune by taking the file association XML and converting to Base64.

Warning

Deploying will break running any PowerShell scripts from Intune in the User context. Amend policy if this functionality is required.
Win - OIB - SC - Device Security - U - Windows Sandbox - v3.4

Added new available settings to restrict the Windows Sandbox feature.
I've gone back and forth on this one as there are no security recommendations for Sandbox, though have taken the following into consideration:
- You have to be an Administrator to enable the feature
- Sandbox has legitimate and helpful use-cases for IT Admins such as testing installs or via things like Run In Sandbox
- The risk of data exfiltration from the host via the Sandbox is entirely dependent on network connectivity.
Therefore, the configuration applied allows the use of copy and paste/clipboard redirection into the sandbox, but all other settings, including networking are not allowed.

I feel this is a meaningful middleground between making the feature worthless to those who may have a valid use-case.

Endpoint Security

Win - OIB - ES - Encryption - U - Personal Data Encryption - v3.4

Added in Intune 2409, PDE utilises the user's Windows Hello for Business credentials as a separate encryption key to secure data within OneDrive Known Folders (Documents, Desktop, Pictures)
As Intune doesn't provide a native way of doing pre-boot BitLocker PIN's, in my opinion, PDE is the bridging gap to ensuring important data is properly encrypted in cases of device theft (which is already an edge case).

Important

Please do the necessary reading on what PDE is and the prerequisites and licensing required, and the MS FAQ before deploying this policy.

Template

Win - OIB - TP - Health Monitoring - D - Endpoint Analytics - v3.4

New version of the Health Monitoring template that now only enables Endpoint Analytics.
Windows Update data needs to be separately enabled via Tenant Admin > Connectors and Tokens > Windows Data
https://learn.microsoft.com/en-gb/mem/intune/protect/data-enable-windows-data

Changed/Updated

Settings Catalog

Win - OIB - SC - Defender Antivirus - D - Additional Configuration

Added "Enable File Hash Computation" set to Enable to improve reliability of MDE's IOC detection.
Recommendation taken from Ru Campbell's video, "Why Your Defender for Endpoint Setup Isn’t Working".

Win - OIB - SC - Device Security - D - Security Hardening

Added the following settings to close some non-impactful gaps against the CIS Benchmark:

Administrative Templates > Network > Windows Connection Manager
- Minimize the number of simultaneous connections to the Internet or a Windows Domain - Enabled: 3 = Prevent Wi-Fi when on Ethernet
Administrative Templates > Printers
- Limits print driver installation to Administrators - Enabled
- Point and Print Restrictions - Enabled
  - Users can only point and print to these servers - True
  - When installing drivers for a new connection - Show warning and elevation prompt
  - When updating drivers for an existing connection - Show warning and elevation prompt
- Allow Print Spooler to accept client connections - Disabled
Wireless Display
- Allow Projection from PC - Your PC can discover and project to other devices.
- Allow Projection to PC - Projection to PC is not allowed. Always off and the user cannot enable it.
- Require PIN for Pairing - Pairing ceremony for new devices will always require a PIN.

Win - OIB - SC - Device Security - D - Timezone

Changed the User Rights settings to match the defaults of LOCAL SERVICE (S-1-5-19), Administrators (S-1-5-32-544) and Users (S-1-5-32-545). Fixes #66

Thanks for everyone's input in Discussion #49!

Important

Despite this change, there is a current MS-recognised issue in 24H2 where the Time Zone settings are missing to standard users: https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-24h2#date---time-in-window-settings-might-not-permit-users-to-change-time-zone
Win - OIB - SC - Device Security - D - User Rights

Removed the following User Rights settings that were all configured to (<![CDATA[...]]>):
- "Access Credential Manager as a trusted caller"
- "Act as part of the operating system"
- "Create a token object"
- "Create permanent shared objects"
- "Enable computer and user accounts to be trusted for delegation"
- "Lock pages in memory"
- "Modify an object label"
All of the above are empty by default on Windows, and it's difficult to tell whether the policy is just silently erroring (as the use of (<![CDATA[...]]>) is only valid when using Custom OMA-URI as per the docs) but remaining empty because that's default.
Either way, it's an enforcement of defaults, and with the difficulty of verifying the policy even works correctly, I'm removing the offending settings until a better solution presents itself.
Added *S-1-2-0 to "Deny Remote Desktop Services Log On" to match the CIS recommendation.
Fixed missing asterisk on S-1-5-6 of "Create Global Objects". Fixes #64

Win - OIB - SC - Microsoft Edge - D - Security

Added "Configure Edge TyposquattingChecker" set to Enabled.
Added "Allow websites to query for available payment methods" set to Disabled.
Replaced superseded "Allow Download Restrictions" setting with newer version. Maintained the value of 1 (BlockDangerousDownloads).
Removed "Show Hubs Sidebar" setting as it was duplicated in the User Experience policy.

Win - OIB - SC - Microsoft Edge - D - User Experience

Added "Enable CryptoWallet feature (User)" set to Disabled
Added "Shopping in Microsoft Edge Enabled (User)" set to Disabled
Removed "Show Hubs Sidebar (User)" and "Search in Sidebar enabled (User)" as there must have been a change that now causes them to block the use of the Copilot button.
- Thanks to Lewis for reporting and testing the fix to this!

Win - OIB - SC - Microsoft Store - D - Configuration

Added setting "Block Non Admin User Install" set to "Block".

Endpoint Security

Win - OIB - ES - Defender Antivirus Updates - Ring *

All policies have been given the 3.4 version number. No actual policy changes have been made.

Deprecated

Settings Catalog

Google Chrome

Maintaining a level of parity between Edge and Chrome is difficult, and the OIB Chrome policies were (on purpose) very "Anti Chrome".
My focus will be to ensure the best set of policies for Edge moving forward, and dropping the Chrome policies.

It is my opinion that Edge should be the primary and only browser available in an enterprise environment, and continued efforts by Microsoft to improve the security and managability of Edge for Business backs this up.
My recommendation is to use the Edge Management Service to "Block other Browsers" which creates and deploys an AppLocker policy to b