windows-v3.6

[SkipToTheEndpoint]

Windows v3.6 - 2025-05-13 - Post-MMS Edition

Added

Settings Catalog

Win - OIB - SC - Microsoft Office - D - Device Security - v3.6
Win - OIB - SC - Microsoft Office - U - User Security - v3.6
By popular demand, I've added a new set of policies to help secure Microsoft Office on Windows devices. These policies are based on the most recent Microsoft 365 Apps Security Baseline v2412 and are designed to enhance the security posture of Office applications.

I have split the policies into two separate profiles: one for Device Security and one for User Security. This allows for more granular control over the security settings applied to Office applications if required.

Important

These policies are only applicable to Microsoft 365 Apps for Enterprise (included with M365 E*/A*/F*), not Microsoft 365 Apps for Business (included with M365 Business Premium).
This behaviour is documented here

Warning

The M365 Apps Security Baseline disables a number of features that may impact user experience, such the use macros, add-ins. Please review the settings and test in a controlled environment before deploying widely!

Win - OIB - SC - Device Security - D - Local Security Policies (24H2+) - v3.6

• Exact duplicate of the existing Local Security Policies profile with one difference to support the new LAPS settings while maintaining a good security posture.
  • Accounts Enable Administrator Account Status - Disable

Endpoint Security

Win - OIB - ES - Windows LAPS - D - LAPS Configuration (24H2+) - v3.6

• Added the following settings to benefit from the new 24H2 LAPS configuration:
  • Backup Directory - Backup the password to Azure AD only
  • Password Age (Days) - 7
  • Password Complexity - Passphrase (short words with unique prefixes)
    • Passphrase Length - 4
  • Password Length - 21
  • Post-Authentication Actions - Reset the password, logoff the managed account, and terminate any remaining processes
  • Post-Authentication Reset Delay (Hours) - 1
  • Automatic Account Management Enabled - The target account will be automatically managed
    • Automatic Account Management Enable Account - The target account will be automatically managed
    • Automatic Account Management Randomize Name - The name of the target account will not use a random numeric suffix
    • Automatic Account Management Target - Manage a new custom administrator account

Changed/Updated

Settings Catalog

Win - OIB - SC - Defender Antivirus - D - Additional Configuration

• Added newly added setting from the 24H2 Security Baseline:
  • Enable Dynamic Signature Dropped Event Reporting - Dynamic Security intelligence update events will be reported.

Win - OIB - SC - Device Security - D - Security Hardening

• Added additional settings now available from the 24H2 Security Baseline:

  Lanman Server

  • Audit Client Does Not Support Encryption - Enabled
  • Audit Client Does Not Support Signing - Enabled
  • Audit Insecure Guest Logon - Enabled
  • Auth Rate Limiter Delay In Ms - 2000
  • Enable Auth Rate Limiter - Enabled
  • Enable Mailslots - Disabled
  • Max Smb2 Dialect - SMB 3.0.0
  • Min Smb2 Dialect - SMB 3.1.1

  Lanman Workstation

  • Audit Server Does Not Support Encryption - Enabled
  • Audit Server Does Not Support Signing - Enabled
  • Audit Insecure Guest Logon - Enabled
  • Enable Mailslots - Disabled
  • Max Smb2 Dialect - SMB 3.0.0
  • Min Smb2 Dialect - SMB 3.1.1
  • Require Encryption - Disabled

Win - OIB - SC - Device Security - U - Power and Device Lock

• Removed following settings as they have been removed from the CIS recommendations:
  • Allow standby states (S1-S3) when sleeping (on battery)
  • Allow standby states (S1-S3) when sleeping (plugged in)
  • Allow Hibernate
  • Require use of fast startup

Win - OIB - SC - Microsoft Edge - D - Security

• Added the following settings from the Microsoft Edge baseline and CIS Edge Benchmark:

  • Allow download restrictions - Block Malicious Downloads (Reduced from "Block malicious downloads and dangerous file types")
  • Automatically open downloaded MHT or MHTML files from the web in Internet Explorer mode - Disabled
  • Dynamic Code Settings - Enabled
    *Dynamic Code Settings (Device) - Default Dynamic Code Settings
  • Enable Application Bound Encryption - Enabled
  • Enable browser legacy extension point blocking - Enabled
  • Enable site isolation for every site - Enabled
  • Enhance the security state in Microsoft Edge - Enabled
    • Enhance the security state in Microsoft Edge (Device) - Balanced Mode
  • Show the Reload in Internet Explorer mode button in the toolbar - Disabled
  • Specifies whether to allow insecure websites to make requests to more-private network endpoints - Disabled

• Added the following setting to turn on the new Scareware Protection feature.

  • Configure Edge Scareware Blocker Protection - Enabled

Win - OIB - SC - Microsoft Edge - D - Updates

• Added "Set the time period for update notifications" configured to 259200000 which is the time in milliseconds (72 hours) before Edge forces a restart to apply a pending update.

Win - OIB - SC - Microsoft Edge - U - User Experience

• Removed "Enable full-tab promotional content" as it was deprecated.
• Added "Enable Gamer Mode" set to Disabled

Win - OIB - SC - Microsoft Office - U - Config and Experience

• Removed deprecated version of "Allow users to receive and respond to in-product surveys from Microsoft".

Win - OIB - SC - Windows User Experience - U - Copilot

• Changed "Turn Off Copilot in Windows" from "Enable Copilot" to "Disable Copilot".

Note

This only impacts the old experience. I recommend also deploying the "Microsoft Copilot" app (9NHT9RB2F4HD) as a required uninstall.
https://learn.microsoft.com/en-gb/windows/client-management/manage-windows-copilot#policy-information-for-previous-copilot-in-windows-preview-experience

---

This discussion was created from the release windows-v3.6.

[RobvandevenVenlo]

First, a great job on the baselines.

Question, why not use the "Policies for Microsoft 365 apps" for the Office part ?

[SkipToTheEndpoint]

Hey @RobvandevenVenlo

There's a few reasons I chose to create them as Settings Catalog policies:

1. To keep device management actually within Intune. The "Policies for Microsoft 365 apps" section is actually an iFrame to config.office.com and creates cloud policy that can apply to devices not even enrolled into Intune.
2. As an extension of the above, that also means you can't export or import them as config.office.com is an undocumented API.

[rmcbarnet]

What is the concensus on deploying the new 24H2+ LAPS policies in a mixed 23H2/24H2 environment.

I've considered using assignment filters but the operatingsystemversion parameter that allows the greater than and less than operator doesn't work and the deprecated osVersion does not have these. We also use CIPP to centrally roll out the policies with assignments but that does not offer the ability to add the filters.

For now I am holding off on these until we either have universal 24H2 (should have in the next two months) or I can find a way to filter.

[incedIT]

I set up an assignment filter using syntax (device.osVersion -startsWith "10.0.26") and then used the include/exclude filter when assigning the policy to all devices. Although deprecated, when they retire it, existing filters will continue to work and only a handful of my devices are under 24H2 anyway. I use CIPP but not for policies yet.

[rmcbarnet]

We currently use Intune Manager but as an MSP it has become very difficult pushing out policy changes and updates across all our clients. We have long wanted to use CIPP to push out policies to a) make the process more efficient and b) ensure standards are maintained and any "tampering" with local policies are revereted back to standards. We are now in a test process of ucing CIPP.

There are challenges though:

1. We have had to use a new naming convention for all the OIB policies to accomodate our own naming convention and, more critically, move the version number into the description field. CIPP will sync policies based on the name so we needed to achieve consistency between out library tenant and each client tenant. Our naming standard looks like this "Device Security - Timezone - BL - D".
2. We still need to use Intune Manager to bring in Named Locations and a few other odds and ends.
3. Setting up is very laborious as each policy needs to be individually adding to each Standards template (we saved a fair bit of time by cloning the template once all the polcieis had been uploaded and then adapting them).
4. Any additional policies need to be adding to all the Standards templates.
5. Assignment Filters are not supported in CIPP so I need to find a different solution for how we cater for the new 24H2+ only policies.
6. The OneDrive policy is also an issue as it locks down to the tenantID. This is fine with Intune Manager which updates it on import but when pushed from CIPP will either need to be excluded from the standard or another solution found.

[rmcbarnet]

Ignore 6. I'd completely forgotten about variables.

[SkipToTheEndpoint]

@rmcbarnet How I've achieved this in my dev tenant is by using a Filter. The greater than and less than operators do actually work, they're just currently broken in the filter preview.

I use (device.operatingSystemVersion -ge 10.0.26100.0000) for 24H2+ devices and include/exclude appropriately on the policies.

That's some good insight on trying to use CIPP to deploy them. What Kelvin & the team have done to support them is wonderful, but it also has to be pretty broad. Without creating something custom for the OIB's, the points you mention will likely continue to be a pain.