From 7ac299ba776a3d67421d31b6275d139b49657dde Mon Sep 17 00:00:00 2001 From: aendrawos <91459443+aendrawos@users.noreply.github.com> Date: Tue, 3 Sep 2024 06:57:27 +0300 Subject: [PATCH 01/14] Update custom-settings-linux.md The current statement is wrong The script will only start to run after that the user gives consent. After that consent, the script can keep executing normally. --- memdocs/intune/configuration/custom-settings-linux.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/configuration/custom-settings-linux.md b/memdocs/intune/configuration/custom-settings-linux.md index e9edec7477b..187f986c685 100644 --- a/memdocs/intune/configuration/custom-settings-linux.md +++ b/memdocs/intune/configuration/custom-settings-linux.md @@ -61,7 +61,7 @@ This article lists the steps to add an existing script and has a GitHub repo wit - **Execution context**: Select the context the script is executed in. Your options: - **User** (default): When a user signs in to the device, the script runs. If a user never signs into the device, or there isn't any user affinity, then the script doesn't run. - - **Root**: The script always runs (with or without users logged in) at the device level. + - **Root**: The script always runs (with or without users logged in) at the device level. (**Note**: The user will have to give consent for the first time the script is executing, afterward it will continue to execute in its schedule) - **Execution frequency**: Select how frequently the script is executed. The default is **Every 15 minutes**. From a4fd9136c3509e3dd4047fae1522050070760072 Mon Sep 17 00:00:00 2001 From: Kara Wang <146743611+kara-wang@users.noreply.github.com> Date: Mon, 6 Jan 2025 11:56:18 -0500 Subject: [PATCH 02/14] Update remote-help-android.md Updating overlay permission as Samsung now provides the ability to be granted silently in OEMConfig --- memdocs/intune/fundamentals/remote-help-android.md | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/memdocs/intune/fundamentals/remote-help-android.md b/memdocs/intune/fundamentals/remote-help-android.md index 681ad9aca70..650e82bf80b 100644 --- a/memdocs/intune/fundamentals/remote-help-android.md +++ b/memdocs/intune/fundamentals/remote-help-android.md @@ -233,13 +233,7 @@ In this section: > [!IMPORTANT] > If the device is running in kiosk mode, the Settings app (which is where the permission is granted) needs to be designated as a system app so that it can launch. See [Granting overlay permissions to Managed Home Screen for Android Enterprise dedicated devices](https://techcommunity.microsoft.com/t5/intune-customer-success/granting-overlay-permissions-to-managed-home-screen-for-android/ba-p/3247041) for detailed instructions. -The Remote Help app needs the **Display over other apps** or **Appear on top** permission to display the Remote Help session UI. To grant this permission, complete the following steps: - -1. After installing the Remote Help app, launch it. - -2. If the permission isn't already granted, the app displays a prompt that launches **Settings** to grant the permission. - -3. Tap **Grant** on the prompt, scroll down to **Appear on top** and turn the setting **On**. (The specific UI may differ depending on your device.) +The Remote Help app needs the **Display over other apps** or **Appear on top** permission to display the Remote Help session UI. To grant this permission, create an OEMConfig profile that configures the permissions in the OEMConfig app. ##### Knox KLMS Agent consent From 0288734abf00c226c87a30200d50ed1cd9b8acb2 Mon Sep 17 00:00:00 2001 From: mnahum <65397448+mnahum@users.noreply.github.com> Date: Thu, 9 Jan 2025 14:40:57 +0100 Subject: [PATCH 03/14] Update app-protection-policy-settings-android.md Add the 2 new providers added in October --- memdocs/intune/apps/app-protection-policy-settings-android.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/memdocs/intune/apps/app-protection-policy-settings-android.md b/memdocs/intune/apps/app-protection-policy-settings-android.md index 64d73ce8164..3c711dae19e 100644 --- a/memdocs/intune/apps/app-protection-policy-settings-android.md +++ b/memdocs/intune/apps/app-protection-policy-settings-android.md @@ -114,6 +114,9 @@ There are some exempt apps and platform services that Intune app protection poli |com.google.android.apps.maps |Google Maps |Addresses are allowed for navigation. | |com.android.documentsui|Android Document Picker|Allowed when opening or creating a file.| |com.google.android.documentsui |Android Document Picker (Android 10+)|Allowed when opening or creating a file.| + |com.samsung.android.providers.contacts | Samsung contacts provider | Allowed for Samsung devices. | + |com.android.providers.blockednumber | Android Block number provider | Allowed for Android devices. | + For more information, see [Data transfer policy exceptions for apps](app-protection-policies-exception.md). From 2201830ed9f1a4fae65b0f5de517b1866a2e889c Mon Sep 17 00:00:00 2001 From: mnahum <65397448+mnahum@users.noreply.github.com> Date: Thu, 9 Jan 2025 15:43:34 +0100 Subject: [PATCH 04/14] Update app-protection-policy-settings-android.md fix location of providers --- .../intune/apps/app-protection-policy-settings-android.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/apps/app-protection-policy-settings-android.md b/memdocs/intune/apps/app-protection-policy-settings-android.md index 3c711dae19e..7d4750ea54b 100644 --- a/memdocs/intune/apps/app-protection-policy-settings-android.md +++ b/memdocs/intune/apps/app-protection-policy-settings-android.md @@ -101,6 +101,8 @@ There are some exempt apps and platform services that Intune app protection poli |com.azure.authenticator |Azure Authenticator app, which is required for successful authentication in many scenarios. | |com.microsoft.windowsintune.companyportal |Intune Company Portal| |com.android.providers.contacts |Native contacts app | + |com.samsung.android.providers.contacts | Samsung contacts provider | Allowed for Samsung devices. | + |com.android.providers.blockednumber | Android Block number provider | Allowed for Android devices. | ### Conditional exemptions These apps and services are only allowed for data transfer to and from Intune-managed apps under certain conditions. @@ -114,8 +116,7 @@ There are some exempt apps and platform services that Intune app protection poli |com.google.android.apps.maps |Google Maps |Addresses are allowed for navigation. | |com.android.documentsui|Android Document Picker|Allowed when opening or creating a file.| |com.google.android.documentsui |Android Document Picker (Android 10+)|Allowed when opening or creating a file.| - |com.samsung.android.providers.contacts | Samsung contacts provider | Allowed for Samsung devices. | - |com.android.providers.blockednumber | Android Block number provider | Allowed for Android devices. | + For more information, see [Data transfer policy exceptions for apps](app-protection-policies-exception.md). From afcd913d18b834232c7295c1828c86e9a6d8733e Mon Sep 17 00:00:00 2001 From: Jon Callahan Date: Thu, 9 Jan 2025 10:22:18 -0500 Subject: [PATCH 05/14] Update apps-deploy.md Added Device Available + Device Uninstall clarification conflicts table --- memdocs/intune/apps/apps-deploy.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/memdocs/intune/apps/apps-deploy.md b/memdocs/intune/apps/apps-deploy.md index c28f632a85d..7f538ea5788 100644 --- a/memdocs/intune/apps/apps-deploy.md +++ b/memdocs/intune/apps/apps-deploy.md @@ -135,6 +135,8 @@ The information in the following table can help you understand the resulting int |User Uninstall|Device Required|Both exist, Intune resolves Required| |User Uninstall|Device Uninstall|Both exist, Intune resolves Uninstall| |Device Required|Device Uninstall|Required| +|Device Required|Device Available|Required and Available| +|Device Available|Device Uninstall|Uninstall| |User Required and Available|User Available|Required and Available| |User Required and Available|User Uninstall|Required and Available| |User Required and Available|Device Required|Both exist, Required and Available From 4b9c6239b2b7a483650199a5a230a1ee7d42cd4c Mon Sep 17 00:00:00 2001 From: Mandi Ohlinger Date: Thu, 9 Jan 2025 13:32:43 -0500 Subject: [PATCH 06/14] text edits --- memdocs/intune/configuration/custom-settings-linux.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/memdocs/intune/configuration/custom-settings-linux.md b/memdocs/intune/configuration/custom-settings-linux.md index 187f986c685..c0538ff30e0 100644 --- a/memdocs/intune/configuration/custom-settings-linux.md +++ b/memdocs/intune/configuration/custom-settings-linux.md @@ -8,7 +8,7 @@ keywords: author: MandiOhlinger ms.author: mandia manager: dougeby -ms.date: 05/15/2024 +ms.date: 01/09/2025 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: configuration @@ -61,7 +61,7 @@ This article lists the steps to add an existing script and has a GitHub repo wit - **Execution context**: Select the context the script is executed in. Your options: - **User** (default): When a user signs in to the device, the script runs. If a user never signs into the device, or there isn't any user affinity, then the script doesn't run. - - **Root**: The script always runs (with or without users logged in) at the device level. (**Note**: The user will have to give consent for the first time the script is executing, afterward it will continue to execute in its schedule) + - **Root**: The script always runs (with or without users logged in) at the device level. The first time the script executes, the end user might have to consent. After they consent, it should continue to execute on its schedule. - **Execution frequency**: Select how frequently the script is executed. The default is **Every 15 minutes**. From 1c864dcb374f20c83e54e0e15c9f1b3b825614b1 Mon Sep 17 00:00:00 2001 From: Erik Reitan Date: Thu, 9 Jan 2025 12:37:22 -0800 Subject: [PATCH 07/14] Update date and punctuation in policy settings --- .../intune/apps/app-protection-policy-settings-android.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/memdocs/intune/apps/app-protection-policy-settings-android.md b/memdocs/intune/apps/app-protection-policy-settings-android.md index 7d4750ea54b..4f1626b965c 100644 --- a/memdocs/intune/apps/app-protection-policy-settings-android.md +++ b/memdocs/intune/apps/app-protection-policy-settings-android.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 09/23/2024 +ms.date: 01/09/2025 ms.topic: conceptual ms.service: microsoft-intune ms.subservice: apps @@ -101,8 +101,8 @@ There are some exempt apps and platform services that Intune app protection poli |com.azure.authenticator |Azure Authenticator app, which is required for successful authentication in many scenarios. | |com.microsoft.windowsintune.companyportal |Intune Company Portal| |com.android.providers.contacts |Native contacts app | - |com.samsung.android.providers.contacts | Samsung contacts provider | Allowed for Samsung devices. | - |com.android.providers.blockednumber | Android Block number provider | Allowed for Android devices. | + |com.samsung.android.providers.contacts | Samsung contacts provider. Allowed for Samsung devices. | + |com.android.providers.blockednumber | Android Block number provider. Allowed for Android devices. | ### Conditional exemptions These apps and services are only allowed for data transfer to and from Intune-managed apps under certain conditions. From 3a9c66e4e65531c50f712071d35b313af32e1007 Mon Sep 17 00:00:00 2001 From: Erik Reitan Date: Thu, 9 Jan 2025 12:54:33 -0800 Subject: [PATCH 08/14] erikre-docs-30803316 --- memdocs/intune/apps/apps-deploy.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/memdocs/intune/apps/apps-deploy.md b/memdocs/intune/apps/apps-deploy.md index 7f538ea5788..38ef14ef911 100644 --- a/memdocs/intune/apps/apps-deploy.md +++ b/memdocs/intune/apps/apps-deploy.md @@ -8,7 +8,7 @@ keywords: author: Erikre ms.author: erikre manager: dougeby -ms.date: 06/27/2024 +ms.date: 01/09/2025 ms.topic: how-to ms.service: microsoft-intune ms.subservice: apps @@ -39,7 +39,7 @@ ms.collection: After you've [added an app](apps-add.md) to Microsoft Intune, you can assign the app to users and devices. It's important to note that you can deploy an app to a device whether or not the device is managed by Intune. > [!NOTE] -> The **Available for enrolled devices** deployment intent is supported for **user groups** and **device groups** when targeting Android Enterprise fully managed devices (COBO) and Android Enterprise corporate-owned personally-enabled (COPE) devices. +> The **Available for enrolled devices** deployment intent is supported for **user groups** and **device groups** when targeting Android Enterprise fully managed devices (COBO) and Android Enterprise corporate-owned personally enabled (COPE) devices. ## Options when assigning managed apps @@ -64,7 +64,7 @@ The following table lists the various options when *assigning* apps to users and > > For almost all app types and platforms, *Available assignments* are only valid when assigning to user groups, not device groups. Win32 apps can be assigned to either user or device groups. > -> If managed Google Play pre-production track apps are assigned as required on Android Enterprise personally-owned work profile devices, they will not install on the device. To work around this, create two identical user groups and assign the pre-production track as "available" to one and "required" to the other. The result will be that the pre-production track successfully deploys to the device. +> If managed Google Play preproduction track apps are assigned as required on Android Enterprise personally owned work profile devices, they won't install on the device. To work around this, create two identical user groups and assign the preproduction track as "available" to one and "required" to the other. The result will be that the preproduction track successfully deploys to the device. ## Assign an app @@ -85,10 +85,10 @@ The following table lists the various options when *assigning* apps to users and > - To configure what happens to managed apps when devices are no longer managed, you can select the intended setting under **Uninstall on device removal**. For more information, see [App uninstall setting for iOS/iPadOS managed apps](apps-deploy.md#app-uninstall-setting-for-ios-managed-apps). > - If you have created an iOS/iPadOS VPN profile that contains per-app VPN settings, you can select the VPN profile under **VPN**. When the app is run, the VPN connection is opened. For more information, see [VPN settings for iOS/iPadOS devices](../configuration/vpn-settings-ios.md). > - To configure whether a required iOS/iPadOS app is installed as a removable app by end users, you can select the setting under **Install as removable**. - > - To configure a way to prevent the iCloud backup of the managed iOS/iPadOS app, you can click on one of the following settings after adding a group assignment - VPN, or Uninstall on device removal, or Install as removable. Then, configure the setting called Prevent iCloud app backup. For more information, see [Prevent iCloud app backup setting for iOS/iPadOS and macOS apps](#prevent-icloud-app-backup-setting-for-iosipados-and-macos-apps). + > - To configure a way to prevent the iCloud backup of the managed iOS/iPadOS app, you can select on one of the following settings after adding a group assignment - VPN, or Uninstall on device removal, or Install as removable. Then, configure the setting called Prevent iCloud app backup. For more information, see [Prevent iCloud app backup setting for iOS/iPadOS and macOS apps](#prevent-icloud-app-backup-setting-for-iosipados-and-macos-apps). > > **For macOS apps only**: - > - To configure a way to prevent the iCloud backup of the managed macOS app, you can click on one of the following settings after adding a group assignment - VPN, or Uninstall on device removal, or Install as removable. Then, configure the setting called Prevent iCloud app backup. For more information, see [Prevent iCloud app backup setting for iOS/iPadOS and macOS apps](#prevent-icloud-app-backup-setting-for-iosipados-and-macos-apps). + > - To configure a way to prevent the iCloud backup of the managed macOS app, you can select on one of the following settings after adding a group assignment - VPN, or Uninstall on device removal, or Install as removable. Then, configure the setting called Prevent iCloud app backup. For more information, see [Prevent iCloud app backup setting for iOS/iPadOS and macOS apps](#prevent-icloud-app-backup-setting-for-iosipados-and-macos-apps). > > **For Android apps only**: > - If you deploy an Android app as **Available with or without enrollment**, reporting status will only be available on enrolled devices. @@ -150,10 +150,10 @@ The information in the following table can help you understand the resulting int > [!NOTE] > For managed iOS store apps only, when you add these apps to Microsoft Intune and assign them as **Required**, the apps are automatically created with both **Required** and **Available** intents.

> iOS Store apps (not iOS/iPadOS VPP apps) that are targeted with required intent will be enforced on the device at the time of the device check-in and will also show in the Company Portal app.

-> When conflicts occur in **Uninstall on device removal** setting, the app is not removed from the device when the device is no longer managed. +> When conflicts occur in **Uninstall on device removal** setting, the app isn't removed from the device when the device is no longer managed. > [!NOTE] -> Apps deployed as Required to corporate-owned work profile and corporate-owned fully managed devices cannot be uninstalled manually by the user. +> Apps deployed as Required to corporate-owned work profile and corporate-owned fully managed devices can't be uninstalled manually by the user. ## Managed Google Play app deployment to unmanaged devices From 9ce7fa0e9aeb62ba6fbc945fd21faac310e35048 Mon Sep 17 00:00:00 2001 From: brenduns Date: Thu, 9 Jan 2025 14:30:38 -0800 Subject: [PATCH 09/14] Update defender baseline --- .../security-baseline-settings-defender.md | 93 ++++++++++--------- 1 file changed, 51 insertions(+), 42 deletions(-) diff --git a/memdocs/intune/protect/security-baseline-settings-defender.md b/memdocs/intune/protect/security-baseline-settings-defender.md index 63c246d31b5..848f5150feb 100644 --- a/memdocs/intune/protect/security-baseline-settings-defender.md +++ b/memdocs/intune/protect/security-baseline-settings-defender.md @@ -39,37 +39,46 @@ zone_pivot_groups: atp-baseline-versions --> -# List of the settings in the Microsoft Defender for Endpoint security baseline in Intune +# Microsoft Defender for Endpoint security baseline settings reference for Microsoft Intune -This article is a reference for the settings that are available in the different versions of the Microsoft Defender for Endpoint security baseline that you can deploy with Microsoft Intune. Use the tabs to select and view the settings in the most recent baseline version and a few older versions that might still be in use. +This article is a reference for the settings that are available in the Microsoft Defender for Endpoint security baseline for Microsoft Intune. + +## About this reference article + +Each security baseline is a group of preconfigured Windows settings that help you apply and enforce granular security settings that the relevant security teams recommend. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration settings. -For each setting this reference identifies the baselines default configuration, which is also the recommended configuration for that setting provided by the relevant security team. Because products and the security landscape evolve, the recommended defaults in one baseline version might not match the defaults you find in later versions of the same baseline. Different baseline types, like the *MDM security* and the *Defender for Endpoint* baselines, can also set different defaults. +The details that display in this article are based on baseline version you select at the top of the article. For each version, this article displays: -When the Intune UI includes a *Learn more* link for a setting, you’ll find that here as well. Use that link to view the settings *policy configuration service provider* (CSP) or relevant content that explains the settings operation. +- A list of each setting and its configuration as found in the default instance of that baseline version. +- When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use. -When a new version of a baseline becomes available, it replaces the previous version. Profiles instances that are created prior to the availability of a new version: +When a new version of a baseline becomes available, it replaces the previous version. Profile instances that you’ve created prior to the availability of a new version: - Become read-only. You can continue to use those profiles but can't edit them to change their configuration. -- Can be updated to the latest version. After you update a profile to the current baseline version, you can edit the profile to modify settings. +- Can be updated to the current version. After you update a profile to the current baseline version, you can edit the profile to modify settings. -To learn more about using security baselines, see [Use security baselines](security-baselines.md). In that article you'll also find information about how to: +This article is a reference for the settings that are available in the different versions of the Microsoft Defender for Endpoint security baseline that you can deploy with Microsoft Intune. Use the tabs to select and view the settings in the most recent baseline version and a few older versions that might still be in use. + +To learn more about using security baselines, see: +- [Use security baselines](../protect/security-baselines.md) +- [Change the baseline version for a profile](../protect/security-baselines-configure.md#update-baselines-that-use-the-previous-format) +- [Manage security baselines](../protect/security-baselines-configure.md) -- [Change the baseline version for a profile](../protect/security-baselines-configure.md#update-baselines-that-use-the-previous-format) to update a profile to use the latest version of that baseline. ::: zone pivot="mde-v24h1" -**Microsoft Defender for Endpoint baseline version 24H1** +## Microsoft Defender for Endpoint baseline version 24H1 ::: zone-end ::: zone pivot="atp-december-2020" -**Microsoft Defender for Endpoint baseline for December 2020 - version 6** +## Microsoft Defender for Endpoint baseline for December 2020 - version 6 ::: zone-end ::: zone pivot="atp-sept-2020" -**Microsoft Defender for Endpoint baseline for September 2020 - version 5** +## Microsoft Defender for Endpoint baseline for September 2020 - version 5 ::: zone-end ::: zone pivot="atp-april-2020" -**Microsoft Defender for Endpoint baseline for April 2020 - version 4** +## Microsoft Defender for Endpoint baseline for April 2020 - version 4 ::: zone-end ::: zone pivot="atp-march-2020" -**Microsoft Defender for Endpoint baseline for March 2020 - version 3** +## Microsoft Defender for Endpoint baseline for March 2020 - version 3 ::: zone-end The Microsoft Defender for Endpoint baseline is available when your environment meets the prerequisites for using [Microsoft Defender for Endpoint](advanced-threat-protection.md#prerequisites). @@ -78,9 +87,9 @@ This baseline is optimized for physical devices and isn't recommended for use on ::: zone pivot="mde-v24h1" -## Administrative Templates +### Administrative Templates -### System > Device Installation > Device Installation Restrictions +#### System > Device Installation > Device Installation Restrictions - **Prevent installation of devices using drivers that match these device setup classes** Baseline default: *Enabled* @@ -92,7 +101,7 @@ This baseline is optimized for physical devices and isn't recommended for use on - **Also apply to matching devices that are already installed.** Baseline default: *False* -### Windows Components > BitLocker Drive Encryption +#### Windows Components > BitLocker Drive Encryption - **Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)** Baseline default: *Enabled* @@ -107,7 +116,7 @@ This baseline is optimized for physical devices and isn't recommended for use on - **Select the encryption method for fixed data drives:** Baseline default: *XTS-AES 128-bit (default)* -### Windows Components > BitLocker Drive Encryption > Fixed Data Drives +#### Windows Components > BitLocker Drive Encryption > Fixed Data Drives - **Choose how BitLocker-protected fixed drives can be recovered** Baseline default: *Enabled* @@ -119,7 +128,7 @@ This baseline is optimized for physical devices and isn't recommended for use on - **Allow data recovery agent** Baseline default: *True* - - **Configure storage of BitLocker recovery information to AD DS:** + - **Configure storage of BitLocker recovery information to AD DS** Baseline default: *Backup recovery passwords and key packages* Value: *Allow 256-bit recovery key* @@ -144,7 +153,7 @@ This baseline is optimized for physical devices and isn't recommended for use on - **Select the encryption type: (Device)** Baseline default: *Used Space Only encryption* -### Windows Components > BitLocker Drive Encryption > Operating System Drives +#### Windows Components > BitLocker Drive Encryption > Operating System Drives - **Allow devices compliant with InstantGo or HSTI to opt out of pre-boot PIN.** Baseline default: *Disabled* @@ -208,7 +217,7 @@ This baseline is optimized for physical devices and isn't recommended for use on - **Configure TPM startup key:** Baseline default: *Do not allow startup key with TPM* -### Windows Components > BitLocker Drive Encryption > Removable Data Drives +#### Windows Components > BitLocker Drive Encryption > Removable Data Drives - **Control use of BitLocker on removable drives** Baseline default: *Enabled* @@ -234,7 +243,7 @@ This baseline is optimized for physical devices and isn't recommended for use on - **Do not allow write access to devices configured in another organization** Baseline default: *False* -### Windows Components > File Explorer +#### Windows Components > File Explorer - **Configure Windows Defender SmartScreen** Baseline default: *Enabled* @@ -243,7 +252,7 @@ This baseline is optimized for physical devices and isn't recommended for use on - **Pick one of the following settings: (Device)** Baseline default: *Warn and prevent bypass* -### Windows Components > Internet Explorer +#### Windows Components > Internet Explorer - **Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet** Baseline default: *Enabled* @@ -260,7 +269,7 @@ This baseline is optimized for physical devices and isn't recommended for use on - **Select SmartScreen Filter mode** Baseline default: *On* -## BitLocker +### BitLocker - **Allow Warning For Other Disk Encryption** Baseline default: *Enabled* @@ -274,7 +283,7 @@ This baseline is optimized for physical devices and isn't recommended for use on Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/bitlocker-csp?WT.mc_id=Portal-fx#requiredeviceencryption) -## Defender +### Defender - **Allow Archive Scanning** Baseline default: *Allowed. Scans the archive files.* @@ -464,19 +473,19 @@ This baseline is optimized for physical devices and isn't recommended for use on Baseline default: *Send all samples automatically.* [Learn more](/windows/client-management/mdm/policy-csp-Defender?WT.mc_id=Portal-fx#submitsamplesconsent) -## Device Guard +### Device Guard - **Credential Guard** Baseline default: *(Enabled with UEFI lock) Turns on Credential Guard with UEFI lock.* [Learn more](/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#lsacfgflags) -## Dma Guard +### Dma Guard - **Device Enumeration Policy** Baseline default: *Block all (Most restrictive)* [Learn more](/windows/client-management/mdm/policy-csp-dmaguard?WT.mc_id=Portal-fx#deviceenumerationpolicy) -## Firewall +### Firewall - **Certificate revocation list verification** Baseline default: *None* @@ -620,7 +629,7 @@ This baseline is optimized for physical devices and isn't recommended for use on Value: *300* [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstoreglobalsaidletime) -## Microsoft Edge +### Microsoft Edge - **Configure Microsoft Defender SmartScreen** Baseline default: *Enabled* @@ -646,7 +655,7 @@ This baseline is optimized for physical devices and isn't recommended for use on ::: zone-end ::: zone pivot="atp-sept-2020,atp-december-2020" -## Attack Surface Reduction Rules +### Attack Surface Reduction Rules Attack surface reduction rules support a merger of settings from different policies, to create a superset of policy for each device. Only the settings that aren't in conflict are merged. Settings that are in conflict are not added to the superset of rules. Previously, if two policies included conflicts for a single setting, both policies were flagged as being in conflict, and no settings from either profile would be deployed. @@ -716,7 +725,7 @@ To learn more, see [Attack surface reduction rules](/windows/security/threat-pro ::: zone pivot="atp-march-2020,atp-april-2020" -## Application Guard +### Application Guard For more information, see [WindowsDefenderApplicationGuard CSP](/windows/client-management/mdm/windowsdefenderapplicationguard-csp) in the Windows documentation. @@ -744,7 +753,7 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your ::: zone-end ::: zone pivot="atp-december-2020,atp-sept-2020,atp-march-2020,atp-april-2020" -## BitLocker +### BitLocker ::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020" @@ -927,7 +936,7 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your ::: zone pivot="atp-march-2020,atp-april-2020" -## Browser +### Browser - **Require SmartScreen for Microsoft Edge** Baseline default: *Yes* @@ -941,7 +950,7 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your Baseline default: *Yes* [Learn more](/windows/client-management/mdm/policy-csp-browser#browser-preventsmartscreenpromptoverrideforfiles) -## Data Protection +### Data Protection - **Block direct memory access** Baseline default: *Yes* @@ -950,13 +959,13 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your ::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020,atp-sept-2020,atp-december-2020" -## Device Guard +### Device Guard - **Turn on credential guard** Baseline default: *Enable with UEFI lock* [Learn more](https://go.microsoft.com/fwlink/?linkid=872424) -## Device Installation +### Device Installation ::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020" @@ -1000,7 +1009,7 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your ::: zone-end ::: zone pivot="atp-sept-2020,atp-december-2020" -## DMA Guard +### DMA Guard ::: zone-end ::: zone pivot="atp-sept-2020,atp-december-2020" @@ -1021,7 +1030,7 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your -## Endpoint Detection and Response +### Endpoint Detection and Response - **Sample sharing for all files** Baseline default: *Yes* @@ -1034,7 +1043,7 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your ::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020,atp-sept-2020,atp-december-2020" -## Firewall +### Firewall - **Stateful File Transfer Protocol (FTP)** Baseline default: *Disabled* @@ -1200,7 +1209,7 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your ::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020,atp-sept-2020,atp-december-2020" -## Microsoft Defender +### Microsoft Defender ::: zone-end ::: zone pivot="atp-december-2020" @@ -1591,7 +1600,7 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your -## Microsoft Defender Security Center +### Microsoft Defender Security Center - **Block users from editing the Exploit Guard protection interface** Baseline default: *Yes* @@ -1600,7 +1609,7 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your ::: zone-end ::: zone pivot="atp-march-2020,atp-april-2020,atp-sept-2020,atp-december-2020" -## Smart Screen +### Smart Screen - **Block users from ignoring SmartScreen warnings** Baseline default: *Yes* @@ -1649,7 +1658,7 @@ When you use Microsoft Edge, Microsoft Defender Application Guard protects your -## Windows Hello for Business +### Windows Hello for Business For more information, see [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp) in the Windows documentation. From 603f3a7f96166a5237c67d9a6aee8b5f8e5c483a Mon Sep 17 00:00:00 2001 From: brenduns Date: Thu, 9 Jan 2025 14:38:15 -0800 Subject: [PATCH 10/14] Update older Edge baseline --- .../security-baseline-settings-edge.md | 39 ++++++++++++------- 1 file changed, 24 insertions(+), 15 deletions(-) diff --git a/memdocs/intune/protect/security-baseline-settings-edge.md b/memdocs/intune/protect/security-baseline-settings-edge.md index ab1ce8e995d..2376a40c8f6 100644 --- a/memdocs/intune/protect/security-baseline-settings-edge.md +++ b/memdocs/intune/protect/security-baseline-settings-edge.md @@ -7,7 +7,7 @@ description: View a list of the settings in the Microsoft Intune security baseli author: brenduns ms.author: brenduns manager: dougeby -ms.date: 03/26/2024 +ms.date: 01/09/2025 ms.topic: reference ms.service: microsoft-intune ms.subservice: protect @@ -32,37 +32,46 @@ zone_pivot_groups: edge-baseline-versions # List of the settings in the Microsoft Edge security baseline in Intune -This article is a reference for the settings that are available in the different versions of the Microsoft Edge security baseline that you can deploy with Microsoft Intune. You can use the tabs below to select and view the settings in the current baseline version and a few older versions that might still be in use. +This article is a reference for the settings that are available in the Microsoft Edge security baseline for Microsoft Intune. -For each setting you’ll find the baselines default configuration, which is also the recommended configuration for that setting provided by the relevant security team. Because products and the security landscape evolve, the recommended defaults in one baseline version might not match the defaults you find in later versions of the same baseline. Different baseline types could also set different defaults. +In May 2023, the settings for the Microsoft Edge baselines updated to a new format. This article provides a reference for Microsoft Edge baselines version 85 and earlier. To view the settings reference for newer baselines, see [Microsoft Edge security baseline settings reference for Microsoft Intune](../protect/security-baseline-v2-edge-settings.md). - -Although the settings in the Intune UI for this baseline omit *Learn more* links, this article includes links to relevant content. +## About this reference article -When a new version of a baseline becomes available, it replaces the previous version. Profiles instances that you’ve created prior to the availability of a new version: +Each security baseline is a group of preconfigured Windows settings that help you apply and enforce granular security settings that the relevant security teams recommend. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration settings. + +The details that display in this article are based on baseline version you select at the top of the article. For each version, this article displays: + +- A list of each and its configuration as found in the default instance of that baseline version. +- When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use. + +When a new version of a baseline becomes available, it replaces the previous version. Profile instances that you’ve created prior to the availability of a new version: - Become read-only. You can continue to use those profiles but can't edit them to change their configuration. -- Can be updated to the latest version. After you update a profile to the current baseline version, you can edit the profile to modify settings. +- Can be updated to the current version. After you update a profile to the current baseline version, you can edit the profile to modify settings. + +To learn more about using security baselines, see: +- [Use security baselines](../protect/security-baselines.md) +- [Change the baseline version for a profile](../protect/security-baselines-configure.md#update-baselines-that-use-the-previous-format) +- [Manage security baselines](../protect/security-baselines-configure.md) -To learn more about using security baselines, see [Use security baselines](security-baselines.md). In that article you'll also find information about how to: - -- [Change the baseline version for a profile](../protect/security-baselines-configure.md#update-baselines-that-use-the-previous-format) to update a profile to use the latest version of that baseline. ::: zone pivot="edge-sept-2020" -**Microsoft Edge baseline for September 2020 (Edge version 85)** +## Microsoft Edge baseline for September 2020 (Edge version 85) + ::: zone-end ::: zone pivot="edge-april-2020" -**Microsoft Edge baseline for April 2020 (Edge version 80)** +## Microsoft Edge baseline for April 2020 (Edge version 80) ::: zone-end ::: zone pivot="edge-october-2019" -**Microsoft Edge baseline for October 2019** +## Microsoft Edge baseline for October 2019 > [!NOTE] -> The Microsoft Edge baseline for October 2019 is in Public Preview. +> The Microsoft Edge baseline for October 2019 is a Public Preview. ::: zone-end -## Microsoft Edge +### Microsoft Edge ::: zone pivot="edge-sept-2020,edge-april-2020" From d5dbee87b0f58e01ed58fbcbd082fe2688ed5d0d Mon Sep 17 00:00:00 2001 From: brenduns Date: Thu, 9 Jan 2025 14:48:53 -0800 Subject: [PATCH 11/14] Update Windows Security baselines --- .../security-baseline-settings-mdm-all.md | 292 +++++++++--------- 1 file changed, 152 insertions(+), 140 deletions(-) diff --git a/memdocs/intune/protect/security-baseline-settings-mdm-all.md b/memdocs/intune/protect/security-baseline-settings-mdm-all.md index 31c02051079..90e7e495b0d 100644 --- a/memdocs/intune/protect/security-baseline-settings-mdm-all.md +++ b/memdocs/intune/protect/security-baseline-settings-mdm-all.md @@ -7,7 +7,7 @@ description: View the default setting configuration of the various Microsoft Int author: brenduns ms.author: brenduns manager: dougeby -ms.date: 07/01/2024 +ms.date: 01/09/2025 ms.topic: reference ms.service: microsoft-intune ms.subservice: protect @@ -29,42 +29,54 @@ ms.collection: zone_pivot_groups: windows-mdm-versions --- -# List of the settings in the Windows MDM security baseline in Intune +# Windows MDM security baseline settings reference for Microsoft Intunein Intune -This article is a reference for the settings that are available in the different versions of the Windows Mobile Device Management (MDM) security baseline for Windows 10 and Windows 11 devices that you manage with Microsoft Intune. You can use the provided Tabs to select and view the settings in the current baseline version and a few older versions that might still be in use. +This article is a reference for the settings that are available in the Windows Mobile Device Management (MDM) security baseline for Microsoft Intune. -For each setting you’ll find the baselines default configuration, which is also the recommended configuration for that setting provided by the relevant security team. Because products and the security landscape evolve, the recommended defaults in one baseline version might not match the defaults you find in later versions of the same baseline. Different baseline types, like the *MDM security* and the *Defender for Endpoint* baselines, could also set different defaults. +## About this reference article -When the Intune UI includes a *Learn more* link for a setting, you’ll find that here as well. Use that link to view the settings *policy configuration service provider* (CSP) or relevant content that explains the settings operation. +Each security baseline is a group of preconfigured Windows settings that help you apply and enforce granular security settings that the relevant security teams recommend. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration settings. -When a new version of a baseline becomes available, it replaces the previous version. Profiles instances that you’ve created before the availability of a new version: +The details that display in this article are based on baseline version you select at the top of the article. For each version, this article displays: + +- A list of each and its configuration as found in the default instance of that baseline version. +- When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use. + +When a new version of a baseline becomes available, it replaces the previous version. Profile instances that you’ve created prior to the availability of a new version: - Become read-only. You can continue to use those profiles but can't edit them to change their configuration. -- Can be updated to the latest version. After you update a profile to the current baseline version, you can edit the profile to modify settings. +- Can be updated to the current version. After you update a profile to the current baseline version, you can edit the profile to modify settings. + +To learn more about using security baselines, see: +- [Use security baselines](../protect/security-baselines.md) +- [Change the baseline version for a profile](../protect/security-baselines-configure.md#update-baselines-that-use-the-previous-format) +- [Manage security baselines](../protect/security-baselines-configure.md) -To learn more about using security baselines, see [Use security baselines](security-baselines.md). In that article you'll also find information about how to [Change the baseline version for a profile](../protect/security-baselines-configure.md#update-baselines-that-use-the-previous-format) to update a profile to use the latest version of that baseline. ::: zone pivot="mdm-23h2" -**Security Baseline for Windows, version 23H2** +## Security Baseline for Windows, version 23H2 The settings in this baseline are taken from the **version 23H2** of the Group Policy security baseline as found in the [Security Compliance Toolkit and Baselines](https://www.microsoft.com/en-us/download/details.aspx?id=55319) from the Microsoft Download Center, and include only the settings that apply to Windows devices managed through Intune. When available, the setting name links to the source Configuration Service Provider (CSP), and then displays that settings default configuration in the baseline. ::: zone-end ::: zone pivot="mdm-november-2021" -**Security Baseline for Windows, November 2021** +## Security Baseline for Windows, November 2021 + ::: zone-end ::: zone pivot="mdm-december-2020" -**Security Baseline for Windows, December 2020** +## Security Baseline for Windows, December 2020 + ::: zone-end ::: zone pivot="mdm-august-2020" -**Security Baseline for Windows, August 2020** +## Security Baseline for Windows, August 2020 + ::: zone-end ::: zone pivot="mdm-23h2" -## Administrative Templates +### Administrative Templates -### Control Panel > Personalization +#### Control Panel > Personalization - **Prevent enabling lock screen camera** Baseline default: *Enabled* @@ -74,7 +86,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-devicelock?WT.mc_id=Portal-fx#preventlockscreenslideshow) -### MS Security Guide +#### MS Security Guide - **Apply UAC restrictions to local accounts on network logons** Baseline default: *Enabled* @@ -98,7 +110,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-mssecurityguide?WT.mc_id=Portal-fx#wdigestauthentication) -### MSS (Legacy) +#### MSS (Legacy) - **MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)** Baseline default: *Enabled* @@ -120,19 +132,19 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-msslegacy?WT.mc_id=Portal-fx#allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers) -### Network > DNS Client +#### Network > DNS Client - **Turn off multicast name resolution** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-dnsclient?WT.mc_id=Portal-fx#turn_off_multicast) -### Network > Network Connections +#### Network > Network Connections - **Prohibit use of Internet Connection Sharing on your DNS domain network** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-networkconnections?WT.mc_id=Portal-fx#nc-showsharedaccessui) -### Network > Network Provider +#### Network > Network Provider - **Hardened UNC Paths** Baseline default: *Enabled* @@ -145,13 +157,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P | `\\*\SYSVOL` | RequireMutualAuthentication=1,RequireIntegrity=1 | | `\\*\NETLOGON` | RequireMutualAuthentication=1,RequireIntegrity=1 | -### Network > Windows Connection Manager +#### Network > Windows Connection Manager - **Prohibit connection to non-domain networks when connected to domain authenticated network** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-windowsconnectionmanager?WT.mc_id=Portal-fx#prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) -### Printers +#### Printers - **Configure Redirection Guard** Baseline default: *Enabled* @@ -191,13 +203,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Manage processing of Queue-specific files: (Device)** Baseline default: *Limit Queue-specific files to Color profiles* -### Start Menu and Taskbar > Notifications +#### Start Menu and Taskbar > Notifications - **Turn off toast notifications on the lock screen (User)** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-wpn?WT.mc_id=Portal-fx#nolockscreentoastnotification) -### System > Credentials Delegation +#### System > Credentials Delegation - **Encryption Oracle Remediation** Baseline default: *Enabled* @@ -209,7 +221,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-credentialsdelegation?WT.mc_id=Portal-fx#remotehostallowsdelegationofnonexportablecredentials) -### System > Device Installation > Device Installation Restrictions +#### System > Device Installation > Device Installation Restrictions - **Prevent installation of devices using drivers that match these device setup classes** Baseline default: *Enabled* @@ -219,7 +231,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Prevented Classes** Baseline default: *{d48179be-ec20-11d1-b6b8-00c04fa372a7}* -### System > Early Launch Antimalware +#### System > Early Launch Antimalware - **Boot-Start Driver Initialization Policy** Baseline default: *Enabled* @@ -227,7 +239,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Choose the boot-start drivers that can be initialized:** Baseline default: *Good, unknown and bad but critical* -### System > Group Policy +#### System > Group Policy - **Configure registry policy processing** Baseline default: *Enabled* @@ -237,7 +249,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Process even if the Group Policy objects have not changed (Device)** Baseline default: *True* -### System > Internet Communication Management > Internet Communication settings +#### System > Internet Communication Management > Internet Communication settings - **Turn off downloading of print drivers** Baseline default: *Enabled* @@ -247,13 +259,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-connectivity?WT.mc_id=Portal-fx#disableinternetdownloadforwebpublishingandonlineorderingwizards) -### System > Local Security Authority +#### System > Local Security Authority - **Allow Custom SSPs and APs to be loaded into LSASS** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-lsa#allowcustomsspsaps) -### System > Power Management > Sleep Settings +#### System > Power Management > Sleep Settings - **Allow standby states (S1-S3) when sleeping (on battery)** Baseline default: *Disabled* @@ -271,13 +283,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-power?WT.mc_id=Portal-fx#requirepasswordwhencomputerwakespluggedin) -### System > Remote Assistance +#### System > Remote Assistance - **Configure Solicited Remote Assistance** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-remoteassistance?WT.mc_id=Portal-fx#solicitedremoteassistance) -### System > Remote Procedure Call +#### System > Remote Procedure Call - **Restrict Unauthenticated RPC clients** Baseline default: *Enabled* @@ -285,13 +297,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **RPC Runtime Unauthenticated Client Restriction to Apply:** Baseline default: *Authenticated* -### Windows Components > App runtime +#### Windows Components > App runtime - **Allow Microsoft accounts to be optional** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-appruntime?WT.mc_id=Portal-fx#allowmicrosoftaccountstobeoptional) -### Windows Components > AutoPlay Policies +#### Windows Components > AutoPlay Policies - **Disallow Autoplay for non-volume devices** Baseline default: *Enabled* @@ -309,13 +321,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Turn off Autoplay on:** Baseline default: *All drives* -### Windows Components > BitLocker Drive Encryption > Fixed Data Drives +#### Windows Components > BitLocker Drive Encryption > Fixed Data Drives - **Deny write access to fixed drives not protected by BitLocker** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/bitlocker-csp?WT.mc_id=Portal-fx#fixeddrivesrequireencryption) -### Windows Components > BitLocker Drive Encryption > Removable Data Drives +#### Windows Components > BitLocker Drive Encryption > Removable Data Drives - **Deny write access to removable drives not protected by BitLocker** Baseline default: *Enabled* @@ -323,13 +335,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Do not allow write access to devices configured in another organization** Baseline default: *False* -### Windows Components > Credential User Interface +#### Windows Components > Credential User Interface - **Enumerate administrator accounts on elevation** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-credentialsui?WT.mc_id=Portal-fx#enumerateadministrators) -### Windows Components > Event Log Service > Application +#### Windows Components > Event Log Service > Application - **Specify the maximum log file size (KB)** Baseline default: *Enabled* @@ -337,7 +349,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Maximum Log Size (KB)** Baseline default: *32768* -### Windows Components > Event Log Service > Security +#### Windows Components > Event Log Service > Security - **Specify the maximum log file size (KB)** Baseline default: *Enabled* @@ -345,7 +357,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Maximum Log Size (KB)** Baseline default: *196608* -### Windows Components > Event Log Service > System +#### Windows Components > Event Log Service > System - **Specify the maximum log file size (KB)** Baseline default: *Enabled* @@ -353,7 +365,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Maximum Log Size (KB)** Baseline default: *32768* -### Windows Components > File Explorer +#### Windows Components > File Explorer - **Configure Windows Defender SmartScreen** Baseline default: *Enabled* @@ -369,7 +381,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-fileexplorer?WT.mc_id=Portal-fx#turnoffheapterminationoncorruption) -### Windows Components > Internet Explorer > Internet Control Panel > Advanced Page +#### Windows Components > Internet Explorer > Internet Control Panel > Advanced Page - **Allow software to run or install even if the signature is invalid** Baseline default: *Disabled* @@ -401,13 +413,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#allowenhancedprotectedmode) -### Windows Components > Internet Explorer > Internet Control Panel +#### Windows Components > Internet Explorer > Internet Control Panel - **Prevent ignoring certificate errors** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#disableignoringcertificateerrors) -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone - **Access data sources across domains** Baseline default: *Enabled* @@ -595,7 +607,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Web sites in less privileged Web content zones can navigate into this zone** Baseline default: *Disable* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page - **Intranet Sites: Include all network paths (UNCs)** Baseline default: *Disabled* @@ -605,7 +617,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#allowcertificateaddressmismatchwarning) -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone - **Don't run antimalware programs against ActiveX controls** Baseline default: *Enabled* @@ -625,7 +637,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Java permissions** Baseline default: *High safety* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone - **Don't run antimalware programs against ActiveX controls** Baseline default: *Enabled* @@ -639,7 +651,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Java permissions** Baseline default: *Disable Java* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone - **Turn on SmartScreen Filter scan** Baseline default: *Enabled* @@ -647,7 +659,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Use SmartScreen Filter** Baseline default: *Enable* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone - **Java permissions** Baseline default: *Enabled* @@ -655,7 +667,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Java permissions** Baseline default: *Disable Java* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone - **Java permissions** Baseline default: *Enabled* @@ -663,7 +675,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Java permissions** Baseline default: *Disable Java* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone - **Java permissions** Baseline default: *Enabled* @@ -677,7 +689,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Use SmartScreen Filter** Baseline default: *Enable* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone - **Java permissions** Baseline default: *Enabled* @@ -685,7 +697,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Java permissions** Baseline default: *Disable Java* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone - **Access data sources across domains** Baseline default: *Enabled* @@ -921,7 +933,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Web sites in less privileged Web content zones can navigate into this zone** Baseline default: *Disable* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone - **Don't run antimalware programs against ActiveX controls** Baseline default: *Enabled* @@ -941,7 +953,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Java permissions** Baseline default: *High safety* -### Windows Components > Internet Explorer +#### Windows Components > Internet Explorer - **Prevent bypassing SmartScreen Filter warnings** Baseline default: *Enabled* @@ -989,7 +1001,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#allowautocomplete) -### Windows Components > Internet Explorer > Security Features > Add-on Management +#### Windows Components > Internet Explorer > Security Features > Add-on Management - **Remove "Run this time" button for outdated ActiveX controls in Internet Explorer** Baseline default: *Enabled* @@ -999,7 +1011,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#donotblockoutdatedactivexcontrols) -### Windows Components > Internet Explorer > Security Features +#### Windows Components > Internet Explorer > Security Features - **Allow fallback to SSL 3.0 (Internet Explorer)** Baseline default: *Enabled* @@ -1007,91 +1019,91 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Allow insecure fallback for:** Baseline default: *No Sites* -### Windows Components > Internet Explorer > Security Features > Consistent Mime Handling +#### Windows Components > Internet Explorer > Security Features > Consistent Mime Handling - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#consistentmimehandlinginternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > Mime Sniffing Safety Feature +#### Windows Components > Internet Explorer > Security Features > Mime Sniffing Safety Feature - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#mimesniffingsafetyfeatureinternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > MK Protocol Security Restriction +#### Windows Components > Internet Explorer > Security Features > MK Protocol Security Restriction - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#mkprotocolsecurityrestrictioninternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > Notification bar +#### Windows Components > Internet Explorer > Security Features > Notification bar - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#notificationbarinternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > Protection From Zone Elevation +#### Windows Components > Internet Explorer > Security Features > Protection From Zone Elevation - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#protectionfromzoneelevationinternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > Restrict ActiveX Install +#### Windows Components > Internet Explorer > Security Features > Restrict ActiveX Install - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#restrictactivexinstallinternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > Restrict File Download +#### Windows Components > Internet Explorer > Security Features > Restrict File Download - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#restrictfiledownloadinternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > Scripted Window Security Restrictions +#### Windows Components > Internet Explorer > Security Features > Scripted Window Security Restrictions - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#scriptedwindowsecurityrestrictionsinternetexplorerprocesses) -### Windows Components > Microsoft Defender Antivirus > MAPS +#### Windows Components > Microsoft Defender Antivirus > MAPS - **Configure the 'Block at First Sight' feature** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus?WT.mc_id=Portal-fx#disableblockatfirstseen) -### Windows Components > Microsoft Defender Antivirus > Real-time Protection +#### Windows Components > Microsoft Defender Antivirus > Real-time Protection - **Turn on process scanning whenever real-time protection is enabled** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus?WT.mc_id=Portal-fx#realtimeprotection-disablescanonrealtimeenable) -### Windows Components > Microsoft Defender Antivirus > Scan +#### Windows Components > Microsoft Defender Antivirus > Scan - **Scan packed executables** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus?WT.mc_id=Portal-fx#scan-disablepackedexescanning) -### Windows Components > Microsoft Defender Antivirus +#### Windows Components > Microsoft Defender Antivirus - **Turn off routine remediation** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus?WT.mc_id=Portal-fx#disableroutinelytakingaction) -### Windows Components > Remote Desktop Services > Remote Desktop Connection Client +#### Windows Components > Remote Desktop Services > Remote Desktop Connection Client - **Do not allow passwords to be saved** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-remotedesktopservices?WT.mc_id=Portal-fx#donotallowpasswordsaving) -### Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection +#### Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection - **Do not allow drive redirection** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-remotedesktopservices?WT.mc_id=Portal-fx#donotallowdriveredirection) -### Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security +#### Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security - **Always prompt for password upon connection** Baseline default: *Enabled* @@ -1107,13 +1119,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Encryption Level** Baseline default: *High Level* -### Windows Components > RSS Feeds +#### Windows Components > RSS Feeds - **Prevent downloading of enclosures** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#disableenclosuredownloading) -### Windows Components > Windows Logon Options +#### Windows Components > Windows Logon Options - **Enable MPR notifications for the system** Baseline default: *Disabled* @@ -1123,7 +1135,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-windowslogon?WT.mc_id=Portal-fx#allowautomaticrestartsignon) -### Windows Components > Windows PowerShell +#### Windows Components > Windows PowerShell - **Turn on PowerShell Script Block Logging** Baseline default: *Enabled* @@ -1131,7 +1143,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Log script block invocation start / stop events:** Baseline default: *False* -### Windows Components > Windows Remote Management (WinRM) > WinRM Client +#### Windows Components > Windows Remote Management (WinRM) > WinRM Client - **Allow Basic authentication** Baseline default: *Disabled* @@ -1145,7 +1157,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-remotemanagement?WT.mc_id=Portal-fx#disallowdigestauthentication) -### Windows Components > Windows Remote Management (WinRM) > WinRM Service +#### Windows Components > Windows Remote Management (WinRM) > WinRM Service - **Allow Basic authentication** Baseline default: *Disabled* @@ -1159,7 +1171,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-remotemanagement?WT.mc_id=Portal-fx#disallowstoringofrunascredentials) -## Auditing +### Auditing - **Account Logon Audit Credential Validation** Baseline default: *Success+ Failure* @@ -1253,7 +1265,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Success+ Failure* [Learn more](/windows/client-management/mdm/policy-csp-Audit?WT.mc_id=Portal-fx#system_auditsystemintegrity) -## Browser +### Browser - **Allow Password Manager** Baseline default: *Block* @@ -1275,13 +1287,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-Browser?WT.mc_id=Portal-fx#preventsmartscreenpromptoverrideforfiles) -## Data Protection +### Data Protection - **Allow Direct Memory Access** Baseline default: *Block* [Learn more](/windows/client-management/mdm/policy-csp-dataprotection?WT.mc_id=Portal-fx#allowdirectmemoryaccess) -## Defender +### Defender - **Allow Archive Scanning** Baseline default: *Allowed. Scans the archive files.* @@ -1385,7 +1397,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Send all samples automatically.* [Learn more](/windows/client-management/mdm/policy-csp-defender?WT.mc_id=Portal-fx#submitsamplesconsent) -## Device Guard +### Device Guard - **Configure System Guard Launch** Baseline default: *Unmanaged Enables Secure Launch if supported by hardware* @@ -1403,7 +1415,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Turns on VBS with Secure Boot.* [Learn more](/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#requireplatformsecurityfeatures) -## Device Lock +### Device Lock - **Device Password Enabled** Baseline default: *Enabled* @@ -1417,13 +1429,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Value: *14* [Learn more](/windows/client-management/mdm/policy-csp-devicelock?WT.mc_id=Portal-fx#mindevicepasswordlength) -## Dma Guard +### Dma Guard - **Device Enumeration Policy** Baseline default: *Block all (Most restrictive)* [Learn more](/windows/client-management/mdm/policy-csp-dmaguard?WT.mc_id=Portal-fx#deviceenumerationpolicy) -## Experience +### Experience - **Allow Windows Spotlight (User)** Baseline default: *Allow* @@ -1435,7 +1447,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Block* [Learn more](/windows/client-management/mdm/policy-csp-Experience?WT.mc_id=Portal-fx#allowthirdpartysuggestionsinwindowsspotlight) -## Firewall +### Firewall - **Enable Domain Network Firewall** Baseline default: *True* @@ -1509,13 +1521,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *False* [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofileallowlocalipsecpolicymerge) -## Lanman Workstation +### Lanman Workstation - **Enable Insecure Guest Logons** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-LanmanWorkstation?WT.mc_id=Portal-fx#enableinsecureguestlogons) -## Local Policies Security Options +### Local Policies Security Options - **Accounts Limit Local Account Use Of Blank Passwords To Console Logon Only** Baseline default: *Enabled* @@ -1603,14 +1615,14 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-LocalPoliciesSecurityOptions?WT.mc_id=Portal-fx#useraccountcontrol_virtualizefileandregistrywritefailurestoperuserlocations) -## Local Security Authority +### Local Security Authority - **Configure Lsa Protected Process** Baseline default: *Enabled with UEFI lock. LSA will run as protected process and this configuration is UEFI locked.* [Learn more](/windows/client-management/mdm/policy-csp-lsa#configurelsaprotectedprocess) -## Microsoft App Store +### Microsoft App Store - **Allow Game DVR** Baseline default: *Block* @@ -1624,9 +1636,9 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-ApplicationManagement?WT.mc_id=Portal-fx#msialwaysinstallwithelevatedprivileges) -## Microsoft Edge +### Microsoft Edge -### SmartScreen settings +#### SmartScreen settings - **Configure Microsoft Defender SmartScreen** Baseline default: *Enabled* @@ -1634,19 +1646,19 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Prevent bypassing Microsoft Defender SmartScreen prompts for sites** Baseline default: *Enabled* -## Privacy +### Privacy - **Let Apps Activate With Voice Above Lock** Baseline default: *Force deny. Windows apps cannot be activated by voice while the screen is locked, and users cannot change it.* [Learn more](/windows/client-management/mdm/policy-csp-Privacy?WT.mc_id=Portal-fx#letappsactivatewithvoiceabovelock) -## Search +### Search - **Allow Indexing Encrypted Stores Or Items** Baseline default: *Block* [Learn more](/windows/client-management/mdm/policy-csp-Search?WT.mc_id=Portal-fx#allowindexingencryptedstoresoritems) -## Smart Screen +### Smart Screen - **Enable Smart Screen In Shell** Baseline default: *Enabled* @@ -1656,7 +1668,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-smartscreen?WT.mc_id=Portal-fx#preventoverrideforfilesinshell) -### Enhanced Phishing Protection +#### Enhanced Phishing Protection - **Notify Malicious** Baseline default: *Enabled* @@ -1670,7 +1682,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P - **Service Enabled** Baseline default: *Enabled* -## System Services +### System Services - **Configure Xbox Accessory Management Service Startup Mode** Baseline default: *Disabled* @@ -1688,13 +1700,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-SystemServices?WT.mc_id=Portal-fx#configurexboxlivenetworkingservicestartupmode) -## Task Scheduler +### Task Scheduler - **Enable Xbox Game Save Task** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-TaskScheduler?WT.mc_id=Portal-fx#enablexboxgamesavetask) -## User Rights +### User Rights - **Access From Network** Baseline default: *Configured* @@ -1781,13 +1793,13 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Value: *Administrators* (*S-1-5-32-544) [Learn more](/windows/client-management/mdm/policy-csp-UserRights?WT.mc_id=Portal-fx#takeownership) -## Virtualization Based Technology +### Virtualization Based Technology - **Hypervisor Enforced Code Integrity** Baseline default: *(Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock.* [Learn more](/windows/client-management/mdm/policy-csp-VirtualizationBasedTechnology?WT.mc_id=Portal-fx#hypervisorenforcedcodeintegrity) -## Wi-Fi Settings +### Wi-Fi Settings - **Allow Auto Connect To Wi Fi Sense Hotspots** Baseline default: *Block* @@ -1797,19 +1809,19 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Block* [Learn more](/windows/client-management/mdm/policy-csp-wifi?WT.mc_id=Portal-fx#allowinternetsharing) -## Windows Hello For Business +### Windows Hello For Business - **Facial Features Use Enhanced Anti Spoofing** Baseline default: *true* [Learn more](/windows/client-management/mdm/PassportForWork-csp/?WT.mc_id=Portal-fx#devicebiometricsfacialfeaturesuseenhancedantispoofing) -## Windows Ink Workspace +### Windows Ink Workspace - **Allow Windows Ink Workspace** Baseline default: *Ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.* [Learn more](/windows/client-management/mdm/policy-csp-WindowsInkWorkspace?WT.mc_id=Portal-fx#allowwindowsinkworkspace) -## LAPS +### LAPS - **Backup Directory** Baseline default: *Backup the password to Azure AD only* @@ -1822,7 +1834,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P ::: zone pivot="mdm-august-2020,mdm-december-2020,mdm-november-2021" -## Above Lock +### Above Lock - **Voice activate apps from locked screen**: Baseline default: *Disabled* @@ -1832,7 +1844,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Yes* [Learn More](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowtoasts) -## App Runtime +### App Runtime - **Microsoft accounts optional for Microsoft store apps**: Baseline default: *Enabled* @@ -1841,7 +1853,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P ::: zone-end ::: zone pivot="mdm-august-2020,mdm-december-2020,mdm-november-2021" -## Application Management +### Application Management - **Block app installations with elevated privileges**: Baseline default: *Yes* @@ -1855,7 +1867,7 @@ The settings in this baseline are taken from the **version 23H2** of the Group P Baseline default: *Yes* [Learn more](/windows/client-management/mdm/policy-csp-applicationmanagement#applicationmanagement-allowgamedvr) -## Audit +### Audit Audit settings configure the events that are generated for the conditions of the setting. @@ -1931,7 +1943,7 @@ Audit settings configure the events that are generated for the conditions of the - **System Audit System Integrity (Device)**: Baseline default: *Success and Failure* -## Auto Play +### Auto Play - **Auto play default auto run behavior**: Baseline default: *Do not execute* @@ -1945,7 +1957,7 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-autoplay#autoplay-disallowautoplayfornonvolumedevices) -## BitLocker +### BitLocker - **BitLocker removable drive policy**: Baseline default: *Configure* @@ -1955,7 +1967,7 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=872540) -## Browser +### Browser - **Block Password Manager**: Baseline default: *Yes* @@ -1977,7 +1989,7 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067126) -## Connectivity +### Connectivity - **Configure secure access to UNC paths**: Baseline default: *Configure Windows to only allow access to the specified UNC paths after fulfilling additional security requirements* @@ -1994,25 +2006,25 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067136) -## Credentials Delegation +### Credentials Delegation - **Remote host delegation of non-exportable credentials**: Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067103) -## Credentials UI +### Credentials UI - **Enumerate administrators**: Baseline default: *Disabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067021) -## Data Protection +### Data Protection - **Block direct memory access**: Baseline default: Yes [Learn more](https://go.microsoft.com/fwlink/?linkid=2067031) -## Device Guard +### Device Guard - **Virtualization based security**: Baseline default: *Enable VBS with secure boot* @@ -2028,7 +2040,7 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *Enable with UEFI lock* [Learn more](https://go.microsoft.com/fwlink/?linkid=872424) -## Device Installation +### Device Installation - **Block hardware device installation by setup classes**: Baseline default: *Yes* @@ -2063,7 +2075,7 @@ Audit settings configure the events that are generated for the conditions of the - **Hardware device identifiers that are blocked**: Baseline default: *No default configuration* -## Device Lock +### Device Lock - **Require password**: Baseline default: *Yes* @@ -2109,12 +2121,12 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067105) -## DMA Guard +### DMA Guard - **Enumeration of external devices incompatible with Kernel DMA Protection**: Baseline default: *Block all* -## Event Log Service +### Event Log Service - **Application log maximum file size in KB**: Baseline default: *32768* @@ -2128,7 +2140,7 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *196608* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067042) -## Experience +### Experience - **Block Windows Spotlight**: Baseline default: *Yes* @@ -2145,7 +2157,7 @@ Audit settings configure the events that are generated for the conditions of the ::: zone-end ::: zone pivot="mdm-august-2020" -## Exploit Guard +### Exploit Guard - **Upload XML**: Baseline default: *Sample xml is provided* @@ -2154,7 +2166,7 @@ Audit settings configure the events that are generated for the conditions of the ::: zone-end ::: zone pivot="mdm-august-2020,mdm-december-2020,mdm-november-2021" -## File Explorer +### File Explorer - **Block data execution prevention**: Baseline default: *Disabled* @@ -2164,7 +2176,7 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *Disabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067107) -## Firewall +### Firewall For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlink/?linkid=2066796) in the Windows Protocols documentation. @@ -2236,7 +2248,7 @@ For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlin Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=872567) -## Internet Explorer +### Internet Explorer - **Internet Explorer encryption support**: @@ -2711,7 +2723,7 @@ For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlin Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer#allowautocomplete) -## Local Policies Security Options +### Local Policies Security Options - **Block remote logon with blank password**: @@ -2801,7 +2813,7 @@ For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlin ::: zone-end ::: zone pivot="mdm-december-2020,mdm-november-2021" -## Microsoft Defender +### Microsoft Defender - **Block Adobe Reader from creating child processes**: Baseline default: *Enable* @@ -3018,7 +3030,7 @@ For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlin ::: zone-end ::: zone pivot="mdm-august-2020,mdm-december-2020,mdm-november-2021" -## MS Security Guide +### MS Security Guide - **SMB v1 client driver start configuration**: Baseline default: *Disabled driver* @@ -3040,7 +3052,7 @@ For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlin Baseline default: *Disabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067193) -## MSS Legacy +### MSS Legacy - **Network IPv6 source routing protection level**: Baseline default: *Highest protection* @@ -3058,7 +3070,7 @@ For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlin Baseline default: *Disabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067326) -## Power +### Power - **Require password on wake while on battery**: Baseline default: *Enabled* @@ -3076,13 +3088,13 @@ For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlin Baseline default: *Disabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067196) -## Remote Assistance +### Remote Assistance - **Remote Assistance solicited**: Baseline default: *Disable Remote Assistance* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067198) -## Remote Desktop Services +### Remote Desktop Services - **Remote desktop services client connection encryption level**: Baseline default: *High* @@ -3103,7 +3115,7 @@ For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlin Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067248) -## Remote Management +### Remote Management - **Block client digest authentication**: Baseline default: *Enabled* @@ -3129,19 +3141,19 @@ For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlin Baseline default: *Disabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067226) -## Remote Procedure Call +### Remote Procedure Call - **RPC unauthenticated client options**: Baseline default: *Authenticated* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067225) -## Search +### Search - **Disable indexing encrypted items**: Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067303) -## Smart Screen +### Smart Screen - **Turn on Windows SmartScreen** Baseline default: *Yes* @@ -3151,13 +3163,13 @@ For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlin Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=872783) -## System +### System - **System boot start driver initialization**: Baseline default: *Good unknown and bad critical* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067307) -## Wi-Fi +### Wi-Fi - **Block Automatically connecting to Wi-Fi hotspots**: Baseline default: *Yes* @@ -3167,19 +3179,19 @@ For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlin Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067327) -## Windows Connection Manager +### Windows Connection Manager - **Block connection to non-domain networks**: Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067323) -## Windows Ink Workspace +### Windows Ink Workspace - **Ink Workspace**: Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067241) -## Windows PowerShell +### Windows PowerShell - **PowerShell script block logging**: Baseline default: *Enabled* From 41cd07461f2a3dc7e5008025a760d383d0a36283 Mon Sep 17 00:00:00 2001 From: brenduns Date: Thu, 9 Jan 2025 14:56:19 -0800 Subject: [PATCH 12/14] Update Windows 365 cloud pc security baselines --- .../security-baseline-settings-windows-365.md | 257 +++++++++--------- 1 file changed, 131 insertions(+), 126 deletions(-) diff --git a/memdocs/intune/protect/security-baseline-settings-windows-365.md b/memdocs/intune/protect/security-baseline-settings-windows-365.md index d1527ba5f08..bf680f38419 100644 --- a/memdocs/intune/protect/security-baseline-settings-windows-365.md +++ b/memdocs/intune/protect/security-baseline-settings-windows-365.md @@ -35,33 +35,38 @@ zone_pivot_groups: windows-365-versions - win365-nov21 > November 2021 --> -# List of the settings in the Windows 365 Cloud PC security baseline in Intune +# Windows 365 Cloud PC security baseline settings reference for Microsoft Intune -This article is a reference for the settings that are available in the Windows 365 Cloud PC security baseline that you can deploy with Microsoft Intune. +TThis article is a reference for the settings that are available in the Windows 365 Cloud PC security baseline for Microsoft Intune. -For each setting we list the baselines default configuration, which is also the recommended configuration for that setting provided by the relevant security team. Because products and the security landscape evolve, the recommended defaults in one baseline version might not match the defaults you find in later versions of the same baseline. Different baseline types, like the *MDM security* and the *Defender for Endpoint* baselines, could also set different defaults. +## About this reference article -When the Intune UI includes a *Learn more* link for a setting, we include that here as well. Use that link to view the settings *policy configuration service provider* (CSP) or relevant content that explains the settings operation. +Each security baseline is a group of preconfigured Windows settings that help you apply and enforce granular security settings that the relevant security teams recommend. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration settings. -When a new version of a baseline becomes available, it replaces the previous version. Profiles instances that you’ve created prior to the availability of a new version: +The details that display in this article are based on baseline version you select at the top of the article. For each version, this article displays: + +- A list of each and its configuration as found in the default instance of that baseline version. +- When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use. + +When a new version of a baseline becomes available, it replaces the previous version. Profile instances that you’ve created prior to the availability of a new version: - Become read-only. You can continue to use those profiles but can't edit them to change their configuration. -- Can be updated to the latest version. After you update a profile to the current baseline version, you can edit the profile to modify settings. +- Can be updated to the current version. After you update a profile to the current baseline version, you can edit the profile to modify settings. To learn more about using security baselines, see: - -- [Use security baselines](security-baselines.md) -- [Manage security baselines](security-baselines-configure.md) +- [Use security baselines](../protect/security-baselines.md) +- [Change the baseline version for a profile](../protect/security-baselines-configure.md#update-baselines-that-use-the-previous-format) +- [Manage security baselines](../protect/security-baselines-configure.md) ::: zone pivot="win365-24h1" -**Windows 365 Cloud PC security baseline version 24H1**: +## Windows 365 Cloud PC security baseline version 24H1 The settings in this baseline apply to Windows devices managed through Intune. When available, the setting name links to the source Configuration Service Provider (CSP), and then displays that settings default configuration in the baseline. -## Administrative Templates +### Administrative Templates -### Control Panel > Personalization +#### Control Panel > Personalization - **Prevent enabling lock screen camera** Baseline default: *Enabled* @@ -71,7 +76,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-devicelock?WT.mc_id=Portal-fx#preventlockscreenslideshow) -### MS Security Guide +#### MS Security Guide - **Apply UAC restrictions to local accounts on network logons** Baseline default: *Enabled* @@ -96,7 +101,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-mssecurityguide?WT.mc_id=Portal-fx#wdigestauthentication) -### MSS (Legacy) +#### MSS (Legacy) - **MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)** Baseline default: *Enabled* @@ -120,19 +125,19 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-msslegacy?WT.mc_id=Portal-fx#allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers) -### Network > DNS Client +#### Network > DNS Client - **Turn off multicast name resolution** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-dnsclient?WT.mc_id=Portal-fx#turn_off_multicast) -### Network > Network Connections +#### Network > Network Connections - **Prohibit use of Internet Connection Sharing on your DNS domain network** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-networkconnections?WT.mc_id=Portal-fx#nc-showsharedaccessui) -### Network > Network Provider +#### Network > Network Provider - **Hardened UNC Paths** Baseline default: *Enabled* @@ -145,19 +150,19 @@ The settings in this baseline apply to Windows devices managed through Intune. W | `\\*\SYSVOL` | RequireMutualAuthentication=1,RequireIntegrity=1 | | `\\*\NETLOGON` | RequireMutualAuthentication=1,RequireIntegrity=1 | -### Network > Windows Connection Manager +#### Network > Windows Connection Manager - **Prohibit connection to non-domain networks when connected to domain authenticated network** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-windowsconnectionmanager?WT.mc_id=Portal-fx#prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork) -### Start Menu and Taskbar > Notifications +#### Start Menu and Taskbar > Notifications - **Turn off toast notifications on the lock screen (User)** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-wpn?WT.mc_id=Portal-fx#nolockscreentoastnotification) -### System > Credentials Delegation +#### System > Credentials Delegation - **Encryption Oracle Remediation** Baseline default: *Enabled* @@ -169,7 +174,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-credentialsdelegation?WT.mc_id=Portal-fx#remotehostallowsdelegationofnonexportablecredentials) -### System > Device Installation > Device Installation Restrictions +#### System > Device Installation > Device Installation Restrictions - **Prevent installation of devices using drivers that match these device setup classes** Baseline default: *Enabled* @@ -180,7 +185,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Also apply to matching devices that are already installed** Baseline default: *True* -### System > Early Launch Antimalware +#### System > Early Launch Antimalware - **Boot-Start Driver Initialization Policy** Baseline default: *Enabled* @@ -188,7 +193,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Choose the boot-start drivers that can be initialized:** Baseline default: *Good, unknown and bad but critical* -### System > Group Policy +#### System > Group Policy - **Configure registry policy processing** Baseline default: *Enabled* @@ -199,7 +204,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Process even if the Group Policy objects have not changed (Device)** Baseline default: *True* -### System > Internet Communication Management > Internet Communication settings +#### System > Internet Communication Management > Internet Communication settings - **Turn off downloading of print drivers over HTTP** Baseline default: *Enabled* @@ -209,13 +214,13 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-connectivity?WT.mc_id=Portal-fx#disableinternetdownloadforwebpublishingandonlineorderingwizards) -### System > Remote Assistance +#### System > Remote Assistance - **Configure Solicited Remote Assistance** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-remoteassistance?WT.mc_id=Portal-fx#solicitedremoteassistance) -### System > Remote Procedure Call +#### System > Remote Procedure Call - **Restrict Unauthenticated RPC clients** Baseline default: *Enabled* @@ -223,13 +228,13 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **RPC Runtime Unauthenticated Client Restriction to Apply:** Baseline default: *Authenticated* -### Windows Components > App runtime +#### Windows Components > App runtime - **Allow Microsoft accounts to be optional** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-appruntime?WT.mc_id=Portal-fx#allowmicrosoftaccountstobeoptional) -### Windows Components > AutoPlay Policies +#### Windows Components > AutoPlay Policies - **Disallow Autoplay for non-volume devices** Baseline default: *Enabled* @@ -247,13 +252,13 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Turn off Autoplay on:** Baseline default: *All drives* -### Windows Components > Credential User Interface +#### Windows Components > Credential User Interface - **Enumerate administrator accounts on elevation** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-credentialsui?WT.mc_id=Portal-fx#enumerateadministrators) -### Windows Components > Event Log Service > Application +#### Windows Components > Event Log Service > Application - **Specify the maximum log file size (KB)** Baseline default: *Enabled* @@ -261,7 +266,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Maximum Log Size (KB)** Baseline default: *32768* -### Windows Components > Event Log Service > Security +#### Windows Components > Event Log Service > Security - **Specify the maximum log file size (KB)** Baseline default: *Enabled* @@ -269,7 +274,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Maximum Log Size (KB)** Baseline default: *196608* -### Windows Components > Event Log Service > System +#### Windows Components > Event Log Service > System - **Specify the maximum log file size (KB)** Baseline default: *Enabled* @@ -277,7 +282,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Maximum Log Size (KB)** Baseline default: *32768* -### Windows Components > File Explorer +#### Windows Components > File Explorer - **Configure Windows Defender SmartScreen** Baseline default: *Enabled* @@ -293,7 +298,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-fileexplorer?WT.mc_id=Portal-fx#turnoffheapterminationoncorruption) -### Windows Components > Internet Explorer > Internet Control Panel > Advanced Page +#### Windows Components > Internet Explorer > Internet Control Panel > Advanced Page - **Allow software to run or install even if the signature is invalid** Baseline default: *Disabled* @@ -325,13 +330,13 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#allowenhancedprotectedmode) -### Windows Components > Internet Explorer > Internet Control Panel +#### Windows Components > Internet Explorer > Internet Control Panel - **Prevent ignoring certificate errors** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#disableignoringcertificateerrors) -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone - **Access data sources across domains** Baseline default: *Enabled* @@ -525,7 +530,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Web sites in less privileged Web content zones can navigate into this zone** Baseline default: *Disable* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page - **Intranet Sites: Include all network paths (UNCs)** Baseline default: *Disabled* @@ -535,7 +540,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#allowcertificateaddressmismatchwarning) -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Intranet Zone - **Don't run antimalware programs against ActiveX controls** Baseline default: *Enabled* @@ -555,7 +560,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Java permissions** Baseline default: *High safety* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Local Machine Zone - **Don't run antimalware programs against ActiveX controls** Baseline default: *Enabled* @@ -569,7 +574,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Java permissions** Baseline default: *Disable Java* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone - **Turn on SmartScreen Filter scan** Baseline default: *Enabled* @@ -577,7 +582,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Use SmartScreen Filter** Baseline default: *Enable* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone - **Java permissions** Baseline default: *Enabled* @@ -585,7 +590,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Java permissions** Baseline default: *Disable Java* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Local Machine Zone - **Java permissions** Baseline default: *Enabled* @@ -593,7 +598,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Java permissions** Baseline default: *Disable Java* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Restricted Sites Zone - **Java permissions** Baseline default: *Enabled* @@ -608,7 +613,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Use SmartScreen Filter** Baseline default: *Enable* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Trusted Sites Zone - **Java permissions** Baseline default: *Enabled* @@ -616,7 +621,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Java permissions** Baseline default: *Disable Java* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Restricted Sites Zone - **Access data sources across domains** Baseline default: *Enabled* @@ -855,7 +860,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Web sites in less privileged Web content zones can navigate into this zone** Baseline default: *Disable* -### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone +#### Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone - **Don't run antimalware programs against ActiveX controls** Baseline default: *Enabled* @@ -875,7 +880,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Java permissions** Baseline default: *High safety* -### Windows Components > Internet Explorer +#### Windows Components > Internet Explorer - **Prevent bypassing SmartScreen Filter warnings** Baseline default: *Enabled* @@ -923,7 +928,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#allowautocomplete) -### Windows Components > Internet Explorer > Security Features > Add-on Management +#### Windows Components > Internet Explorer > Security Features > Add-on Management - **Remove "Run this time" button for outdated ActiveX controls in Internet Explorer** Baseline default: *Enabled* @@ -933,7 +938,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#donotblockoutdatedactivexcontrols) -### Windows Components > Internet Explorer > Security Features +#### Windows Components > Internet Explorer > Security Features - **Allow fallback to SSL 3.0 (Internet Explorer)** Baseline default: *Enabled* @@ -941,91 +946,91 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Allow insecure fallback for:** Baseline default: *No Sites* -### Windows Components > Internet Explorer > Security Features > Consistent Mime Handling +#### Windows Components > Internet Explorer > Security Features > Consistent Mime Handling - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#consistentmimehandlinginternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > Mime Sniffing Safety Feature +#### Windows Components > Internet Explorer > Security Features > Mime Sniffing Safety Feature - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#mimesniffingsafetyfeatureinternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > MK Protocol Security Restriction +#### Windows Components > Internet Explorer > Security Features > MK Protocol Security Restriction - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#mkprotocolsecurityrestrictioninternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > Notification bar +#### Windows Components > Internet Explorer > Security Features > Notification bar - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#notificationbarinternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > Protection From Zone Elevation +#### Windows Components > Internet Explorer > Security Features > Protection From Zone Elevation - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#protectionfromzoneelevationinternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > Restrict ActiveX Install +#### Windows Components > Internet Explorer > Security Features > Restrict ActiveX Install - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#restrictactivexinstallinternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > Restrict File Download +#### Windows Components > Internet Explorer > Security Features > Restrict File Download - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#restrictfiledownloadinternetexplorerprocesses) -### Windows Components > Internet Explorer > Security Features > Scripted Window Security Restrictions +#### Windows Components > Internet Explorer > Security Features > Scripted Window Security Restrictions - **Internet Explorer Processes** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#scriptedwindowsecurityrestrictionsinternetexplorerprocesses) -### Windows Components > Microsoft Defender Antivirus > MAPS +#### Windows Components > Microsoft Defender Antivirus > MAPS - **Configure the 'Block at First Sight' feature** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus?WT.mc_id=Portal-fx#disableblockatfirstseen) -### Windows Components > Microsoft Defender Antivirus > Real-time Protection +#### Windows Components > Microsoft Defender Antivirus > Real-time Protection - **Turn on process scanning whenever real-time protection is enabled** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus?WT.mc_id=Portal-fx#realtimeprotection-disablescanonrealtimeenable) -### Windows Components > Microsoft Defender Antivirus > Scan +#### Windows Components > Microsoft Defender Antivirus > Scan - **Scan packed executables** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus?WT.mc_id=Portal-fx#scan-disablepackedexescanning) -### Windows Components > Microsoft Defender Antivirus +#### Windows Components > Microsoft Defender Antivirus - **Turn off routine remediation** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-admx-microsoftdefenderantivirus?WT.mc_id=Portal-fx#disableroutinelytakingaction) -### Windows Components > Remote Desktop Services > Remote Desktop Connection Client +#### Windows Components > Remote Desktop Services > Remote Desktop Connection Client - **Do not allow passwords to be saved** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-remotedesktopservices?WT.mc_id=Portal-fx#donotallowpasswordsaving) -### Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection +#### Windows Components > Remote Desktop Services > Remote Desktop Session Host > Device and Resource Redirection - **Do not allow drive redirection** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-remotedesktopservices?WT.mc_id=Portal-fx#donotallowdriveredirection) -### Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security +#### Windows Components > Remote Desktop Services > Remote Desktop Session Host > Security - **Always prompt for password upon connection** Baseline default: *Enabled* @@ -1041,19 +1046,19 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Encryption Level** Baseline default: *High Level* -### Windows Components > RSS Feeds +#### Windows Components > RSS Feeds - **Prevent downloading of enclosures** Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-internetexplorer?WT.mc_id=Portal-fx#disableenclosuredownloading) -### Windows Components > Windows Logon Options +#### Windows Components > Windows Logon Options - **Sign-in and lock last interactive user automatically after a restart** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-windowslogon?WT.mc_id=Portal-fx#allowautomaticrestartsignon) -### Windows Components > Windows PowerShell +#### Windows Components > Windows PowerShell - **Turn on PowerShell Script Block Logging** Baseline default: *Enabled* @@ -1061,7 +1066,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Log script block invocation start / stop events:** Baseline default: *False* -### Windows Components > Windows Remote Management (WinRM) > WinRM Client +#### Windows Components > Windows Remote Management (WinRM) > WinRM Client - **Allow Basic authentication** Baseline default: *Disabled* @@ -1075,7 +1080,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-remotemanagement?WT.mc_id=Portal-fx#disallowdigestauthentication) -### Windows Components > Windows Remote Management (WinRM) > WinRM Service +#### Windows Components > Windows Remote Management (WinRM) > WinRM Service - **Allow Basic authentication** Baseline default: *Disabled* @@ -1089,7 +1094,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-remotemanagement?WT.mc_id=Portal-fx#disallowstoringofrunascredentials) -## Auditing +### Auditing - **Account Logon Audit Credential Validation** Baseline default: *Success+ Failure* @@ -1183,13 +1188,13 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Success+ Failure* [Learn more](/windows/client-management/mdm/policy-csp-Audit?WT.mc_id=Portal-fx#system_auditsystemintegrity) -## Data Protection +### Data Protection - **Allow Direct Memory Access** Baseline default: *Block* [Learn more](/windows/client-management/mdm/policy-csp-dataprotection?WT.mc_id=Portal-fx#allowdirectmemoryaccess) -## Defender +### Defender - **Allow Archive Scanning** Baseline default: *Allowed. Scans the archive files.* @@ -1304,7 +1309,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Send all samples automatically.* [Learn more](/windows/client-management/mdm/policy-csp-defender?WT.mc_id=Portal-fx#submitsamplesconsent) -## Device Guard +### Device Guard - **Configure System Guard Launch** Baseline default: *Unmanaged Enables Secure Launch if supported by hardware* @@ -1322,7 +1327,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Turns on VBS with Secure Boot.* [Learn more](/windows/client-management/mdm/policy-csp-deviceguard?WT.mc_id=Portal-fx#requireplatformsecurityfeatures) -## Device Lock +### Device Lock - **Device Password Enabled** Baseline default: *Enabled* @@ -1338,13 +1343,13 @@ The settings in this baseline apply to Windows devices managed through Intune. W Value: *14* [Learn more](/windows/client-management/mdm/policy-csp-devicelock?WT.mc_id=Portal-fx#mindevicepasswordlength) -## Dma Guard +### Dma Guard - **Device Enumeration Policy** Baseline default: *Block all (Most restrictive)* [Learn more](/windows/client-management/mdm/policy-csp-dmaguard?WT.mc_id=Portal-fx#deviceenumerationpolicy) -## Experience +### Experience - **Allow Windows Spotlight (User)** Baseline default: *Allow* @@ -1358,7 +1363,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Block* [Learn more](/windows/client-management/mdm/policy-csp-Experience?WT.mc_id=Portal-fx#allowthirdpartysuggestionsinwindowsspotlight) -## Firewall +### Firewall - **Enable Domain Network Firewall** Baseline default: *True* @@ -1455,19 +1460,19 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *False* [Learn more](/windows/client-management/mdm/firewall-csp?WT.mc_id=Portal-fx#mdmstorepublicprofileallowlocalipsecpolicymerge) -## Lanman Workstation +### Lanman Workstation - **Enable Insecure Guest Logons** Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-LanmanWorkstation?WT.mc_id=Portal-fx#enableinsecureguestlogons) -## Local Security Authority +### Local Security Authority - **Configure Lsa Protected Process** Baseline default: *Enabled with UEFI lock. LSA will run as protected process and this configuration is UEFI locked.* [Learn more](/windows/client-management/mdm/policy-csp-lsa#configurelsaprotectedprocess) -## Microsoft App Store +### Microsoft App Store - **Allow Game DVR** Baseline default: *Block* @@ -1481,9 +1486,9 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Disabled* [Learn more](/windows/client-management/mdm/policy-csp-ApplicationManagement?WT.mc_id=Portal-fx#msialwaysinstallwithelevatedprivileges) -## Microsoft Edge +### Microsoft Edge -### Content settings +#### Content settings - **Default Adobe Flash setting** Baseline default: *Disabled* @@ -1503,7 +1508,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Minimum TLS version enabled (User)** Baseline default: *TLS 1.2* -### SmartScreen settings +#### SmartScreen settings - **Configure Microsoft Defender SmartScreen** Baseline default: *Enabled* @@ -1511,19 +1516,19 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Prevent bypassing Microsoft Defender SmartScreen prompts for sites** Baseline default: *Enabled* -## Privacy +### Privacy - **Let Apps Activate With Voice Above Lock** Baseline default: *Force deny. Windows apps cannot be activated by voice while the screen is locked, and users cannot change it.* [Learn more](/windows/client-management/mdm/policy-csp-Privacy?WT.mc_id=Portal-fx#letappsactivatewithvoiceabovelock) -## Search +### Search - **Allow Indexing Encrypted Stores Or Items** Baseline default: *Block* [Learn more](/windows/client-management/mdm/policy-csp-Search?WT.mc_id=Portal-fx#allowindexingencryptedstoresoritems) -## Smart Screen +### Smart Screen - **Enable Smart Screen In Shell** Baseline default: *Enabled* @@ -1533,7 +1538,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Enabled* [Learn more](/windows/client-management/mdm/policy-csp-smartscreen?WT.mc_id=Portal-fx#preventoverrideforfilesinshell) -### Enhanced Phishing Protection +#### Enhanced Phishing Protection - **Notify Malicious** Baseline default: *Enabled* @@ -1547,7 +1552,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W - **Service Enabled** Baseline default: *Enabled* -## User Rights +### User Rights - **Access From Network** Baseline default: *Configured* @@ -1659,19 +1664,19 @@ The settings in this baseline apply to Windows devices managed through Intune. W - `*S-1-5-32-544` [Learn more](/windows/client-management/mdm/policy-csp-UserRights?WT.mc_id=Portal-fx#takeownership) -## Virtualization Based Technology +### Virtualization Based Technology - **Hypervisor Enforced Code Integrity** Baseline default: *(Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock.* [Learn more](/windows/client-management/mdm/policy-csp-VirtualizationBasedTechnology?WT.mc_id=Portal-fx#hypervisorenforcedcodeintegrity) -## Windows Ink Workspace +### Windows Ink Workspace - **Allow Windows Ink Workspace** Baseline default: *Ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.* [Learn more](/windows/client-management/mdm/policy-csp-WindowsInkWorkspace?WT.mc_id=Portal-fx#allowwindowsinkworkspace) -## Local Policies Security Options +### Local Policies Security Options - **Accounts Limit Local Account Use Of Blank Passwords To Console Logon Only** Baseline default: *Enabled* @@ -1764,7 +1769,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W **Windows 365 Cloud PC security baseline November 2021**: -## Above Lock +### Above Lock - **Voice activate apps from locked screen**: Baseline default: *Disabled* @@ -1774,13 +1779,13 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067101) -## App Runtime +### App Runtime - **Microsoft accounts optional for Microsoft store apps**: Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067104) -## Application management +### Application management - **Block app installations with elevated privileges**: Baseline default: *Yes* @@ -1794,7 +1799,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067056) -## Attack Surface Reduction Rules +### Attack Surface Reduction Rules For general information, see [Learn about attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide&preserve-view=true). @@ -1846,7 +1851,7 @@ For general information, see [Learn about attack surface reduction rules](/micro Baseline default: *Block* [Learn more](https://go.microsoft.com/fwlink/?linkid=872980) -## Audit +### Audit Audit settings configure the events that are generated for the conditions of the setting. @@ -1922,7 +1927,7 @@ Audit settings configure the events that are generated for the conditions of the - **System Audit System Integrity (Device)**: Baseline default: *Success and Failure* -## Auto Play +### Auto Play - **Auto play default auto run behavior**: Baseline default: *Do not execute* @@ -1936,7 +1941,7 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067106) -## Browser +### Browser - **Block Password Manager**: Baseline default: *Yes* @@ -1958,7 +1963,7 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067126) -## Connectivity +### Connectivity - **Configure secure access to UNC paths**: Baseline default: *Configure Windows to only allow access to the specified UNC paths after fulfilling additional security requirements* @@ -1975,19 +1980,19 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067136) -## Credentials Delegation +### Credentials Delegation - **Remote host delegation of non-exportable credentials**: Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067103) -## Credentials UI +### Credentials UI - **Enumerate administrators**: Baseline default: *Disabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067021) -## Device Guard +### Device Guard - **Virtualization based security**: Baseline default: *Enable VBS with secure boot* @@ -2003,7 +2008,7 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *Enable with UEFI lock* [Learn more](https://go.microsoft.com/fwlink/?linkid=872424) -## Device Installation +### Device Installation - **Block hardware device installation by setup classes** Baseline default: *Yes* @@ -2013,12 +2018,12 @@ Audit settings configure the events that are generated for the conditions of the - **Block list** *Not configured by default. Manually add one or more Identifiers.* -## DMA Guard +### DMA Guard - **Enumeration of external devices incompatible with Kernel DMA Protection** Baseline default: *Block all* -## Event Log Service +### Event Log Service - **Application log maximum file size in KB** Baseline default: *32768* @@ -2032,13 +2037,13 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *196608* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067042) -## Experience +### Experience - **Block Windows Spotlight** Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067037) -## File Explorer +### File Explorer - **Block data execution prevention** Baseline default: *Disabled* @@ -2048,7 +2053,7 @@ Audit settings configure the events that are generated for the conditions of the Baseline default: *Disabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067107) -## Firewall +### Firewall For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlink/?linkid=2066796) in the Windows Protocols documentation. @@ -2120,7 +2125,7 @@ For more information, see [2.2.2 FW_PROFILE_TYPE](https://go.microsoft.com/fwlin Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=872567) -## Internet Explorer +### Internet Explorer View the full list of [Internet Explorer CSPs](/windows/client-management/mdm/policy-csp-internetexplorer). @@ -2596,7 +2601,7 @@ View the full list of [Internet Explorer CSPs](/windows/client-management/mdm/po Baseline default: *Disabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067122) -## Local Policies Security Options +### Local Policies Security Options - **Block remote logon with blank password** Baseline default: *Yes* @@ -2682,7 +2687,7 @@ View the full list of [Internet Explorer CSPs](/windows/client-management/mdm/po Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067321) -## Microsoft Defender +### Microsoft Defender - **Turn on real-time protection** Baseline default: *Yes* @@ -2730,7 +2735,7 @@ View the full list of [Internet Explorer CSPs](/windows/client-management/mdm/po Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=2113937) -## Microsoft Defender Antivirus Exclusions +### Microsoft Defender Antivirus Exclusions > [!WARNING] > **Defining exclusions lowers the protection offered by Microsoft Defender Antivirus**. Always evaluate the risks that are associated with implementing exclusions. Only exclude files you know aren't malicious. @@ -2746,7 +2751,7 @@ View the full list of [Internet Explorer CSPs](/windows/client-management/mdm/po - **Defender Files And Folders To Exclude** Baseline default: *Not configured by default. Manually add one or more entries.* -## Microsoft Edge +### Microsoft Edge - **Control which extensions cannot be installed** Baseline default: *Enabled* @@ -2796,7 +2801,7 @@ View the full list of [Internet Explorer CSPs](/windows/client-management/mdm/po - **Supported authentication schemes** Baseline defaults: Two items: *NTLM* and *Negotiate* -## MS Security Guide +### MS Security Guide - **SMB v1 client driver start configuration** Baseline default: *Disable driver* @@ -2818,7 +2823,7 @@ View the full list of [Internet Explorer CSPs](/windows/client-management/mdm/po Baseline default: *Disabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067193) -## MSS Legacy +### MSS Legacy - **Network IPv6 source routing protection level** Baseline default: *Highest protection* @@ -2836,13 +2841,13 @@ View the full list of [Internet Explorer CSPs](/windows/client-management/mdm/po Baseline default: *Disabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067326) -## Remote Assistance +### Remote Assistance - **Remote Assistance solicited** Baseline default: *Disable Remote Assistance* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067198) -## Remote Desktop Services +### Remote Desktop Services - **Remote desktop services client connection encryption level** Baseline default: *High* @@ -2863,7 +2868,7 @@ View the full list of [Internet Explorer CSPs](/windows/client-management/mdm/po Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067248) -## Remote Management +### Remote Management - **Block client digest authentication** Baseline default: *Enabled* @@ -2889,19 +2894,19 @@ View the full list of [Internet Explorer CSPs](/windows/client-management/mdm/po Baseline default: *Disabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067226) -## Remote Procedure Call +### Remote Procedure Call - **RPC unauthenticated client options** Baseline default: *Authenticated* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067225) -## Search +### Search - **Disable indexing encrypted items** Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067303) -## Smart Screen +### Smart Screen - **Turn on Windows SmartScreen** Baseline default: *Yes* @@ -2911,31 +2916,31 @@ View the full list of [Internet Explorer CSPs](/windows/client-management/mdm/po Baseline default: *Yes* [Learn more](https://go.microsoft.com/fwlink/?linkid=872783) -## System +### System - **System boot start driver initialization** Baseline default: *Good unknown and bad critical* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067307) -## Windows Connection Manager +### Windows Connection Manager - **Block connection to non-domain networks** Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067323) -## Windows Ink Workspace +### Windows Ink Workspace - **Ink Workspace** Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067241) -## Windows PowerShell +### Windows PowerShell - **PowerShell script block logging** Baseline default: *Enabled* [Learn more](https://go.microsoft.com/fwlink/?linkid=2067330) -## Windows Security +### Windows Security - **Enable tamper protection to prevent Microsoft Defender being disabled** Baseline default: *Enable* From 1e0d58406b57e8ef890c8dce48e99ed61d56650c Mon Sep 17 00:00:00 2001 From: brenduns Date: Thu, 9 Jan 2025 15:10:12 -0800 Subject: [PATCH 13/14] Update M365 Apps security baselines --- .../security-baseline-v2-office-settings.md | 115 +++++++++--------- 1 file changed, 56 insertions(+), 59 deletions(-) diff --git a/memdocs/intune/protect/security-baseline-v2-office-settings.md b/memdocs/intune/protect/security-baseline-v2-office-settings.md index 2417c6ae4e1..0de8c6d843e 100644 --- a/memdocs/intune/protect/security-baseline-v2-office-settings.md +++ b/memdocs/intune/protect/security-baseline-v2-office-settings.md @@ -7,7 +7,7 @@ description: View a list of the settings in the Microsoft Intune security baseli author: brenduns ms.author: brenduns manager: dougeby -ms.date: 09/13/2024 +ms.date: 01/09/2025 ms.topic: reference ms.service: microsoft-intune ms.subservice: protect @@ -52,27 +52,26 @@ This article is a reference for the settings that are available in the Microsoft ## About this reference article -Each security baseline is a group of preconfigured settings that help you apply and enforce granular security settings that the relevant security teams recommend. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration profiles. +Each security baseline is a group of preconfigured Windows settings that help you apply and enforce granular security settings that the relevant security teams recommend. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration settings. -The details that are displayed in this article are based on baseline version that is selected at the top of the article. For each selection, this article displays: +The details that display in this article are based on baseline version you select at the top of the article. For each version, this article displays: -- A list of each setting in that baseline version. -- The default configuration of each setting in that baseline version. -- When available, a link to the underlying configuration service provider (CSP) documentation, or other related content from the relevant product group that provides context and possibly additional details for the settings use. +- A list of each and its configuration as found in the default instance of that baseline version. +- When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use. When a new version of a baseline becomes available, it replaces the previous version. Profile instances that you’ve created prior to the availability of a new version: - Become read-only. You can continue to use those profiles but can't edit them to change their configuration. -- Can be updated to the latest version. After you update a profile to the current baseline version, you can edit the profile to modify settings. +- Can be updated to the current version. After you update a profile to the current baseline version, you can edit the profile to modify settings. To learn more about using security baselines, see: - - [Use security baselines](../protect/security-baselines.md) -- [Manage security baselines](../protect/security-baselines-configure.md). +- [Change the baseline version for a profile](../protect/security-baselines-configure.md#update-baselines-that-use-the-previous-format) +- [Manage security baselines](../protect/security-baselines-configure.md) ::: zone pivot="office-may-2023" -**Microsoft 365 Apps for Enterprise security baseline for May 2023** +## Microsoft 365 Apps for Enterprise security baseline for May 2023 This baseline version was first made available in May of 2023. It was replaced by the Baseline *Version 2306* @@ -81,7 +80,7 @@ For more information about the following settings that are included in this base ::: zone-end ::: zone pivot="v2306" -**Microsoft 365 Apps for Enterprise for security baseline version 2306** +## Microsoft 365 Apps for Enterprise for security baseline version 2306 This baseline version was first made available in November 2023, and replaces the *May 2023* version. @@ -90,9 +89,9 @@ For more information about the following settings that are included in this base ::: zone-end ::: zone pivot="office-may-2023,v2306" -## Administrative Templates +### Administrative Templates -*MS Security Guide* +### MS Security Guide - **Block Flash activation in Office documents** Baseline default: *Enabled* @@ -130,11 +129,9 @@ For more information about the following settings that are included in this base - **Word: (Device)** Baseline default: *69632* +### Microsoft Access 2016 - -## Microsoft Access 2016 - -*Application Settings > Security > Trust Center* +#### Application Settings > Security > Trust Center - **Block macros from running in Office files from the Internet (User)** Baseline default: *Enabled* @@ -156,29 +153,29 @@ For more information about the following settings that are included in this base Baseline default: *Enabled* - Baseline default: *Disable all with notification* -*Application Settings > Security > Trust Center > Trusted Locations* +#### Application Settings > Security > Trust Center > Trusted Locations - **Allow Trusted Locations on the network (User)** Baseline default: *Disabled* ### Microsoft Excel 2016 -*Data Recovery* +#### Data Recovery - **Do not show data extraction options when opening corrupt workbooks (User)** Baseline default: *Enabled* -*Excel Options > Advanced* +#### Excel Options > Advanced - **Ask to update automatic links (User)** Baseline default: *Enabled* -*Excel Options > Advanced > General* +#### Excel Options > Advanced > General - **Load pictures from Web pages not created in Excel (User)** Baseline default: *Disabled* -*Excel Options > Save* +#### Excel Options > Save - **Disable AutoRepublish (User)** Baseline default: *Enabled* @@ -186,7 +183,7 @@ For more information about the following settings that are included in this base - **Do not show AutoRepublish warning alert (User)** Baseline default: *Disabled* -*Excel Options > Security* +#### Excel Options > Security - **Force file extension to match file type (User)** Baseline default: *Enabled* @@ -203,7 +200,7 @@ For more information about the following settings that are included in this base Baseline default: *Enabled* - Baseline default: *Disable all with notification* -*Excel Options > Security > Trust Center* +#### Excel Options > Security > Trust Center ::: zone-end ::: zone pivot="v2306" @@ -239,7 +236,7 @@ For more information about the following settings that are included in this base Baseline default: *Enabled* - Baseline default: *Disable all except digitally signed macros* -*Excel Options > Security > Trust Center > External Content* +#### Excel Options > Security > Trust Center > External Content - **Always prevent untrusted Microsoft Query files from opening (User)** Baseline default: *Enabled* @@ -257,7 +254,7 @@ For more information about the following settings that are included in this base ::: zone-end ::: zone pivot="office-may-2023,v2306" -*Excel Options > Security > Trust Center > File Block Settings* +#### Excel Options > Security > Trust Center > File Block Settings - **dBase III / IV files (User)** Baseline default: *Enabled* @@ -328,7 +325,7 @@ For more information about the following settings that are included in this base - **File block setting: (User)** Baseline default: *Open/Save blocked, use open policy* -*Excel Options > Security > Trust Center > Protected View* +#### Excel Options > Security > Trust Center > Protected View - **Always open untrusted database files in Protected View (User)** Baseline default: *Enabled* @@ -348,12 +345,12 @@ For more information about the following settings that are included in this base - **Turn off Protected View for attachments opened from Outlook (User)** Baseline default: *Disabled* -*Excel Options > Security > Trust Center > Trusted Locations* +#### Excel Options > Security > Trust Center > Trusted Locations - **Allow Trusted Locations on the network (User)** Baseline default: *Disabled* -## Microsoft Lync Feature Policies +### Microsoft Lync Feature Policies - **Configure SIP security mode** Baseline default: *Enabled* @@ -361,9 +358,9 @@ For more information about the following settings that are included in this base - **Disable HTTP fallback for SIP connection** Baseline default: *Enabled* -## Microsoft Office 2016 +### Microsoft Office 2016 -*Customize* +#### Customize - **Disable UI extending from documents and templates (User)** Baseline default: *Enabled* @@ -395,7 +392,7 @@ For more information about the following settings that are included in this base - **Disallow in Visio (User)** Baseline default: *True* -*Security Settings* +#### Security Settings - **ActiveX Control Initialization (User)** Baseline default: *Enabled* @@ -467,24 +464,24 @@ For more information about the following settings that are included in this base - **Protect document metadata for rights managed Office Open XML Files (User)** Baseline default: *Enabled* -*Security Settings > Trust Center* +#### Security Settings > Trust Center - **Allow mix of policy and user locations (User)** Baseline default: *Disabled* -*Server Settings* +#### Server Settings - **Disable the Office client from polling the SharePoint Server for published links (User)** Baseline default: *Enabled* -*Smart Documents (Word, Excel)* +#### Smart Documents (Word, Excel) - **Disable Smart Document's use of manifests (User)** Baseline default: *Enabled* -## Microsoft Office 2016 (Machine) +### Microsoft Office 2016 (Machine) -*Security Settings > IE Security* +#### Security Settings > IE Security - **Add-on Management** Baseline default: *Enabled* @@ -1071,9 +1068,9 @@ For more information about the following settings that are included in this base - **spDesign.exe (Device)** Baseline default: *True* -## Microsoft Outlook 2016 +### Microsoft Outlook 2016 -*Security > Security Form Settings* +#### Security > Security Form Settings The "Outlook Security Mode" policy controls how security settings in Outlook are enforced. To manage any of the dependent Outlook security policies using Microsoft Intune, Office cloud policy service, or Group policy this policy must be enabled and the Outlook Security Policy dropdown set to "Use Outlook Security Group Policy". @@ -1195,9 +1192,9 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are - **Guard behavior: (User) Baseline default: *Automatically Deny* -## Microsoft PowerPoint 2016 +### Microsoft PowerPoint 2016 -*PowerPoint Options > Security* +#### PowerPoint Options > Security ::: zone-end ::: zone pivot="v2306" @@ -1224,7 +1221,7 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are - **Turn off file validation (User)** Baseline default: *Disabled* -*PowerPoint Options > Security > Trust Center* +#### PowerPoint Options > Security > Trust Center - **Block macros from running in Office files from the Internet (User**) Baseline default: *Enabled* @@ -1248,7 +1245,7 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are Baseline default: *Enabled* - Baseline default: *Disable all except digitally signed macros* -*PowerPoint Options > Security > Trust Center > File Block Settings* +#### PowerPoint Options > Security > Trust Center > File Block Settings - **PowerPoint 97-2003 presentations, shows, templates and add-in files (User)** Baseline default: *Enabled* @@ -1259,7 +1256,7 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are Baseline default: *Enabled* - Baseline default: *Blocked files are not opened* -*PowerPoint Options > Security > Trust Center > Protected View* +#### PowerPoint Options > Security > Trust Center > Protected View - **Do not open files from the Internet zone in Protected View (User)** Baseline default: *Disabled* @@ -1277,14 +1274,14 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are - **Turn off Protected View for attachments opened from Outlook (User)** Baseline default: *Disabled* -*PowerPoint Options > Security > Trust Center > Trusted Locations* +#### PowerPoint Options > Security > Trust Center > Trusted Locations - **Allow Trusted Locations on the network (User)** Baseline default: *Disabled* -## Microsoft Project 2016 +### Microsoft Project 2016 -*Project Options > Security > Trust Center* +#### Project Options > Security > Trust Center - **Allow Trusted Locations on the network (User)** Baseline default: *Disabled* @@ -1308,15 +1305,15 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are Baseline default: *Enabled* - Baseline default: *Disable all except digitally signed macros* -## Microsoft Publisher 2016 +### Microsoft Publisher 2016 -*Security* +#### Security - **Publisher Automation Security Level (User)** Baseline default: *Enabled* - Baseline default: *By UI (prompted)* -*Security > Trust Center* +#### Security > Trust Center ::: zone-end ::: zone pivot="v2306" @@ -1341,9 +1338,9 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are Baseline default: *Enabled* - Baseline default: *Disable all except digitally signed macros* -## Microsoft Visio 2016 +### Microsoft Visio 2016 -*Visio Options > Security > Trust Center* +#### Visio Options > Security > Trust Center - **Allow Trusted Locations on the network (User)** Baseline default: *Disabled* @@ -1370,7 +1367,7 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are Baseline default: *Enabled* - Baseline default: *Disable all except digitally signed macros* -*Visio Options > Security > Trust Center > File Block Settings* +#### Visio Options > Security > Trust Center > File Block Settings - **Visio 2000-2002 Binary Drawings, Templates and Stencils (User)** Baseline default: *Enabled* @@ -1387,9 +1384,9 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are - **File block setting: (User)** Baseline default: *Open/Save blocked* -## Microsoft Word 2016 +### Microsoft Word 2016 -*Word Options > Security > Trust Center* +#### Word Options > Security > Trust Center - **Block macros from running in Office files from the Internet (User)** Baseline default: *Enabled* @@ -1420,7 +1417,7 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are Baseline default: *Enabled* - Baseline default: *Disable all except digitally signed macros* -*Word Options > Security > Trust Center > File Block Settings* +#### Word Options > Security > Trust Center > File Block Settings - **Set default file block behavior (User)** Baseline default: *Enabled* @@ -1466,7 +1463,7 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are - **File block setting: (User)** Baseline default: *Open/Save blocked, use open policy* -*Word Options > Security > Trust Center > Protected View* +#### Word Options > Security > Trust Center > Protected View - **Do not open files from the Internet zone in Protected View (User)** Baseline default: *Disabled* @@ -1485,12 +1482,12 @@ The "Outlook Security Mode" policy controls how security settings in Outlook are - **Turn off Protected View for attachments opened from Outlook (User)** Baseline default: *Disabled* -*Word Options > Security* +#### Word Options > Security - **Turn off file validation (User)** Baseline default: *Disabled* -*Word Options > Security > Trust Center > Trusted Locations* +#### Word Options > Security > Trust Center > Trusted Locations - **Allow Trusted Locations on the network (User)** Baseline default: *Disabled* From 9929f8d2f4563c9ee06af2609855c3f95e802be8 Mon Sep 17 00:00:00 2001 From: brenduns Date: Thu, 9 Jan 2025 15:29:27 -0800 Subject: [PATCH 14/14] Minor formatting fix --- .../intune/protect/security-baseline-settings-windows-365.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/memdocs/intune/protect/security-baseline-settings-windows-365.md b/memdocs/intune/protect/security-baseline-settings-windows-365.md index bf680f38419..b4148c2b53a 100644 --- a/memdocs/intune/protect/security-baseline-settings-windows-365.md +++ b/memdocs/intune/protect/security-baseline-settings-windows-365.md @@ -1767,7 +1767,7 @@ The settings in this baseline apply to Windows devices managed through Intune. W ::: zone pivot="win365-nov21" -**Windows 365 Cloud PC security baseline November 2021**: +## Windows 365 Cloud PC security baseline November 2021 ### Above Lock