andrewamason/Intune

Fork 0

Files

Andrew Amason ec2b22290a Module Consolidation

2025-05-19 15:02:55 -04:00

334 KiB

Raw Permalink Blame History

Intune documentation

OS: Windows

Version: v3.6

Generated: 2025-05-13

Device configuration
- Settings Catalog

Device configuration

Settings Catalog

Win - OIB - ES - Attack Surface Reduction - D - ASR Rules (Audit Mode) - v3.1

Name	Value
Basics
Name	Win - OIB - ES - Attack Surface Reduction - D - ASR Rules (Audit Mode) - v3.1
Description
Profile type	Settings catalog
Category	Attack surface reduction
Policy type	Attack Surface Reduction Rules
Platform supported	Windows 10 and later
Created	09 August 2023 16:01:18
Last modified	05 December 2024 19:36:18
Scope tags	Default

Table 1. Basics - Win - OIB - ES - Attack Surface Reduction - D - ASR Rules (Audit Mode) - v3.1

Name	Value
Defender
Attack Surface Reduction Rules	Not configured
Block execution of potentially obfuscated scripts	Audit
Block Office communication application from creating child processes	Audit
Block all Office applications from creating child processes	Audit
Block Win32 API calls from Office macros	Audit
Block executable files from running unless they meet a prevalence, age, or trusted list criterion	Audit
Block JavaScript or VBScript from launching downloaded executable content	Audit
Block untrusted and unsigned processes that run from USB	Audit
Block Adobe Reader from creating child processes	Audit
Block credential stealing from the Windows local security authority subsystem	Audit
Block abuse of exploited vulnerable signed drivers (Device)	Audit
Block persistence through WMI event subscription	Audit
Block use of copied or impersonated system tools	Audit
Block Office applications from injecting code into other processes	Audit
Use advanced protection against ransomware	Audit
Block process creations originating from PSExec and WMI commands	Audit
Block Office applications from creating executable content	Audit
Block rebooting machine in Safe Mode	Audit
Block executable content from email client and webmail	Audit
Enable Controlled Folder Access	Audit Mode

Table 2. Settings - Win - OIB - ES - Attack Surface Reduction - D - ASR Rules (Audit Mode) - v3.1

Win - OIB - ES - Attack Surface Reduction - D - ASR Rules (L2) - v3.3

Name	Value
Basics
Name	Win - OIB - ES - Attack Surface Reduction - D - ASR Rules (L2) - v3.3
Description	DO NOT ASSIGN THIS POLICY WITHOUT VALIDATING VIA AUDIT MODE FIRST! https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize
Profile type	Settings catalog
Category	Attack surface reduction
Policy type	Attack Surface Reduction Rules
Platform supported	Windows 10 and later
Created	22 August 2024 18:56:38
Last modified	05 December 2024 19:36:30
Scope tags	Default

Table 3. Basics - Win - OIB - ES - Attack Surface Reduction - D - ASR Rules (L2) - v3.3

Name	Value
Defender
Attack Surface Reduction Rules	Not configured
Block execution of potentially obfuscated scripts	Warn
Block Office communication application from creating child processes	Warn
Block all Office applications from creating child processes	Block
Block Win32 API calls from Office macros	Block
Block executable files from running unless they meet a prevalence, age, or trusted list criterion	Audit
Block JavaScript or VBScript from launching downloaded executable content	Block
Block untrusted and unsigned processes that run from USB	Block
Block Adobe Reader from creating child processes	Block
Block credential stealing from the Windows local security authority subsystem	Audit
Block abuse of exploited vulnerable signed drivers (Device)	Block
Block persistence through WMI event subscription	Block
Block use of copied or impersonated system tools	Audit
Block Office applications from injecting code into other processes	Warn
Use advanced protection against ransomware	Block
Block process creations originating from PSExec and WMI commands	Warn
Block Office applications from creating executable content	Block
Block rebooting machine in Safe Mode	Audit
Block executable content from email client and webmail	Block
Enable Controlled Folder Access	Audit Mode

Table 4. Settings - Win - OIB - ES - Attack Surface Reduction - D - ASR Rules (L2) - v3.3

Win - OIB - ES - Defender Antivirus - D - AV Configuration - v3.3

Name	Value
Basics
Name	Win - OIB - ES - Defender Antivirus - D - AV Configuration - v3.3
Description
Profile type	Settings catalog
Category	Antivirus
Policy type	Microsoft Defender Antivirus
Platform supported	Windows 10 and later
Created	21 August 2024 12:15:30
Last modified	05 December 2024 19:34:28
Scope tags	Default

Table 5. Basics - Win - OIB - ES - Defender Antivirus - D - AV Configuration - v3.3

Name	Value
Defender
Allow Archive Scanning	Allowed. Scans the archive files.
Allow Behavior Monitoring	Allowed. Turns on real-time behavior monitoring.
Allow Cloud Protection	Allowed. Turns on Cloud Protection.
Allow Email Scanning	Allowed. Turns on email scanning.
Allow Full Scan Removable Drive Scanning	Allowed. Scans removable drives.
Allow scanning of all downloaded files and attachments	Allowed.
Allow Realtime Monitoring	Allowed. Turns on and runs the real-time monitoring service.
Allow Scanning Network Files	Allowed. Scans network files.
Allow Script Scanning	Allowed.
Allow User UI Access	Allowed. Lets users access UI.
Avg CPU Load Factor	50
Check For Signatures Before Running Scan	Enabled
Cloud Block Level	High
Cloud Extended Timeout	50
Disable Catchup Full Scan	Disabled
Disable Catchup Quick Scan	Disabled
Enable Low CPU Priority	Enabled
Enable Network Protection	Enabled (block mode)
PUA Protection	PUA Protection on. Detected items are blocked. They will show in history along with other threats.
Real Time Scan Direction	Monitor all files (bi-directional).
Schedule Quick Scan Time	660
Signature Update Interval	1
Submit Samples Consent	Send safe samples automatically.
Disable Local Admin Merge	Disable Local Admin Merge
Allow On Access Protection	Allowed.
Threat Severity Default Action	Not configured
Remediation action for High severity threats	Remove. Removes files from system.
Remediation action for Severe threats	Remove. Removes files from system.
Remediation action for Low severity threats	Block. Blocks file execution.
Remediation action for Moderate severity threats	Remove. Removes files from system.
Metered Connection Updates	Allowed

Table 6. Settings - Win - OIB - ES - Defender Antivirus - D - AV Configuration - v3.3

Win - OIB - ES - Defender Antivirus - D - Security Experience - v3.3

Name	Value
Basics
Name	Win - OIB - ES - Defender Antivirus - D - Security Experience - v3.3
Description	NOTE: The "Tamper Protection" setting requires an active Defender for Endpoint P1/P2 or Defender for Business license. https://learn.microsoft.com/en-us/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
Profile type	Settings catalog
Category	Antivirus
Policy type	Windows Security Experience
Platform supported	Windows 10 and later
Created	29 July 2024 15:33:50
Last modified	28 February 2025 12:41:56
Scope tags	Default

Table 7. Basics - Win - OIB - ES - Defender Antivirus - D - Security Experience - v3.3

Name	Value
Defender
TamperProtection (Device)	On
Windows Defender Security Center
Disable Family UI	(Enable) The users cannot see the display of the family options area in Windows Defender Security Center.
Disable Enhanced Notifications	(Disable) Windows Defender Security Center will display critical and non-critical notifications to users..
Hide Windows Security Notification Area Control	Disabled

Table 8. Settings - Win - OIB - ES - Defender Antivirus - D - Security Experience - v3.3

Win - OIB - ES - Defender Antivirus Updates - Ring 1 - Pilot - v3.4

Name	Value
Basics
Name	Win - OIB - ES - Defender Antivirus Updates - Ring 1 - Pilot - v3.4
Description
Profile type	Settings catalog
Category	Antivirus
Policy type	Defender Update controls
Platform supported	Windows 10 and later
Created	19 August 2023 17:17:32
Last modified	24 January 2025 13:16:50
Scope tags	Default

Table 9. Basics - Win - OIB - ES - Defender Antivirus Updates - Ring 1 - Pilot - v3.4

Name	Value
Defender
Engine Updates Channel	Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
Platform Updates Channel	Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
Security Intelligence Updates Channel	Not configured (Default). Microsoft will either assign the device to Current Channel (Broad) or a beta channel early in the gradual release cycle. The channel selected by Microsoft might be one that receives updates early during the gradual release cycle, which may not be suitable for devices in a production or critical environment

Table 10. Settings - Win - OIB - ES - Defender Antivirus Updates - Ring 1 - Pilot - v3.4

Win - OIB - ES - Defender Antivirus Updates - Ring 2 - UAT - v3.4

Name	Value
Basics
Name	Win - OIB - ES - Defender Antivirus Updates - Ring 2 - UAT - v3.4
Description
Profile type	Settings catalog
Category	Antivirus
Policy type	Defender Update controls
Platform supported	Windows 10 and later
Created	19 August 2023 17:19:59
Last modified	24 January 2025 13:17:46
Scope tags	Default

Table 11. Basics - Win - OIB - ES - Defender Antivirus Updates - Ring 2 - UAT - v3.4

Name	Value
Defender
Engine Updates Channel	Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
Platform Updates Channel	Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
Security Intelligence Updates Channel	Current Channel (Staged): Same as Current Channel (Broad).

Table 12. Settings - Win - OIB - ES - Defender Antivirus Updates - Ring 2 - UAT - v3.4

Win - OIB - ES - Defender Antivirus Updates - Ring 3 - Production - v3.4

Name	Value
Basics
Name	Win - OIB - ES - Defender Antivirus Updates - Ring 3 - Production - v3.4
Description
Profile type	Settings catalog
Category	Antivirus
Policy type	Defender Update controls
Platform supported	Windows 10 and later
Created	19 August 2023 17:21:03
Last modified	24 January 2025 13:17:54
Scope tags	Default

Table 13. Basics - Win - OIB - ES - Defender Antivirus Updates - Ring 3 - Production - v3.4

Name	Value
Defender
Engine Updates Channel	Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
Platform Updates Channel	Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
Security Intelligence Updates Channel	Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in all populations, including production.

Table 14. Settings - Win - OIB - ES - Defender Antivirus Updates - Ring 3 - Production - v3.4

Win - OIB - ES - Encryption - D - BitLocker (OS Disk) - v3.0

Name	Value
Basics
Name	Win - OIB - ES - Encryption - D - BitLocker (OS Disk) - v3.0
Description
Profile type	Settings catalog
Category	Disk encryption
Policy type	BitLocker
Platform supported	Windows 10 and later
Created	09 August 2023 16:01:29
Last modified	05 December 2024 19:35:29
Scope tags	Default

Table 15. Basics - Win - OIB - ES - Encryption - D - BitLocker (OS Disk) - v3.0

Name	Value
Administrative Templates
Operating System Drives
Enforce drive encryption type on operating system drives	Enabled
Select the encryption type: (Device)	Full encryption
Require additional authentication at startup	Enabled
Configure TPM startup key and PIN:	Do not allow startup key and PIN with TPM
Configure TPM startup PIN:	Do not allow startup PIN with TPM
Configure TPM startup:	Require TPM
Allow BitLocker without a compatible TPM (requires a password or a startup key on a USB flash drive)	False
Configure TPM startup key:	Do not allow startup key with TPM
Disallow standard users from changing the PIN or password	Enabled
Choose how BitLocker-protected operating system drives can be recovered	Enabled
Omit recovery options from the BitLocker setup wizard	True
Allow data recovery agent	False
	Allow 256-bit recovery key
Configure storage of BitLocker recovery information to AD DS:	Store recovery passwords and key packages
Do not enable BitLocker until recovery information is stored to AD DS for operating system drives	True
Save BitLocker recovery information to AD DS for operating system drives	True
Configure user storage of BitLocker recovery information:	Require 48-digit recovery password
BitLocker Drive Encryption
Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)	Enabled
Select the encryption method for removable data drives:	AES-CBC 256-bit
Select the encryption method for fixed data drives:	XTS-AES 256-bit
Select the encryption method for operating system drives:	XTS-AES 256-bit
BitLocker
Require Device Encryption	Enabled
Allow Warning For Other Disk Encryption	Disabled
Allow Standard User Encryption	Enabled
Configure Recovery Password Rotation	Refresh on for Azure AD-joined devices

Table 16. Settings - Win - OIB - ES - Encryption - D - BitLocker (OS Disk) - v3.0

Win - OIB - ES - Encryption - U - Personal Data Encryption - v3.4

Name	Value
Basics
Name	Win - OIB - ES - Encryption - U - Personal Data Encryption - v3.4
Description	NOTE: PDE is only applicable to Windows 11 22H2 or higher, Entra-Joined devices and does not work on Windows Pro/Business SKU's: https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/personal-data-encryption/
Profile type	Settings catalog
Category	Disk encryption
Policy type	Personal Data Encryption
Platform supported	Windows 10 and later
Created	24 September 2024 10:22:15
Last modified	05 December 2024 19:35:45
Scope tags	Default

Table 17. Basics - Win - OIB - ES - Encryption - U - Personal Data Encryption - v3.4

Name	Value
Personal Data Encryption
Enable Personal Data Encryption (User)	Enable Personal Data Encryption.
Protect Pictures (User) (Windows Insiders only)	Enable Personal Data Encryption on the folder.
Protect Documents (User) (Windows Insiders only)	Enable Personal Data Encryption on the folder.
Protect Desktop (User) (Windows Insiders only)	Enable Personal Data Encryption on the folder.

Table 18. Settings - Win - OIB - ES - Encryption - U - Personal Data Encryption - v3.4

Win - OIB - ES - Windows Firewall - D - Firewall Configuration - v3.1

Name	Value
Basics
Name	Win - OIB - ES - Windows Firewall - D - Firewall Configuration - v3.1
Description
Profile type	Settings catalog
Category	Firewall
Policy type	Windows Firewall
Platform supported	Windows 10 and later
Created	09 August 2023 16:01:44
Last modified	05 December 2024 19:36:05
Scope tags	Default

Table 19. Basics - Win - OIB - ES - Windows Firewall - D - Firewall Configuration - v3.1

Name	Value
Auditing
Object Access Audit Filtering Platform Connection	Failure
Object Access Audit Filtering Platform Packet Drop	Failure
Firewall
Disable Stateful Ftp	True
Enable Domain Network Firewall	True
Default Inbound Action for Domain Profile	Block
Default Outbound Action	Allow
Disable Inbound Notifications	True
Log Max File Size	16384
Disable Stealth Mode	False
Enable Log Dropped Packets	Enable Logging Of Dropped Packets
Enable Log Success Connections	Enable Logging Of Successful Connections
Log File Path	%SystemRoot%\System32\logfiles\firewall\domainfw.log
Enable Private Network Firewall	True
Disable Inbound Notifications	True
Default Outbound Action	Allow
Log Max File Size	16384
Default Inbound Action for Private Profile	Block
Enable Log Dropped Packets	Enable Logging Of Dropped Packets
Enable Log Success Connections	Enable Logging Of Successful Connections
Log File Path	%SystemRoot%\System32\logfiles\firewall\privatefw.log
Enable Public Network Firewall	True
Log Max File Size	16384
Allow Local Policy Merge	False
Default Outbound Action	Allow
Disable Inbound Notifications	True
Default Inbound Action for Public Profile	Block
Enable Log Ignored Rules	Disable Logging Of Ignored Rules
Enable Log Dropped Packets	Enable Logging Of Dropped Packets
Enable Log Success Connections	Enable Logging Of Successful Connections
Log File Path	%SystemRoot%\System32\logfiles\firewall\publicfw.log
Allow Local Ipsec Policy Merge	False

Table 20. Settings - Win - OIB - ES - Windows Firewall - D - Firewall Configuration - v3.1

Win - OIB - ES - Windows Hello for Business - D - WHfB Configuration - v3.2

Name	Value
Basics
Name	Win - OIB - ES - Windows Hello for Business - D - WHfB Configuration - v3.2
Description
Profile type	Settings catalog
Category	Account protection
Policy type	Account Protection
Platform supported	Windows 10 and later
Created	22 July 2024 14:29:02
Last modified	05 December 2024 19:36:54
Scope tags	Default

Table 21. Basics - Win - OIB - ES - Windows Hello for Business - D - WHfB Configuration - v3.2

Name	Value
Windows Hello For Business
Device-scoped settings	Not configured
Require Security Device	true
Use Windows Hello For Business (Device)	true
Minimum PIN Length	6
Use Certificate For On Prem Auth	Disabled
Enable Pin Recovery	true
Facial Features Use Enhanced Anti Spoofing	true

Table 22. Settings - Win - OIB - ES - Windows Hello for Business - D - WHfB Configuration - v3.2

Win - OIB - ES - Windows LAPS - D - LAPS Configuration - v3.1

Name	Value
Basics
Name	Win - OIB - ES - Windows LAPS - D - LAPS Configuration - v3.1
Description
Profile type	Settings catalog
Category	Account protection
Policy type	Local admin password solution (Windows LAPS)
Platform supported	Windows 10 and later
Created	03 April 2025 10:25:59
Last modified	03 April 2025 10:37:05
Scope tags	Default

Table 23. Basics - Win - OIB - ES - Windows LAPS - D - LAPS Configuration - v3.1

Name	Value
Backup Directory	Backup the password to Azure AD only
Password Age Days	7
Password Complexity	Large letters + small letters + numbers + special characters (improved readability)
Password Length	21
Post Authentication Actions	Reset the password and logoff the managed account: upon expiry of the grace period, the managed account password will be reset and any interactive logon sessions using the managed account will terminated.
Post Authentication Reset Delay	1

Table 24. Settings - Win - OIB - ES - Windows LAPS - D - LAPS Configuration - v3.1

Win - OIB - ES - Windows LAPS - D - LAPS Configuration (24H2+) - v3.6

Name	Value
Basics
Name	Win - OIB - ES - Windows LAPS - D - LAPS Configuration (24H2+) - v3.6
Description	NOTE: For 24H2+ devices only.
Profile type	Settings catalog
Category	Account protection
Policy type	Local admin password solution (Windows LAPS)
Platform supported	Windows 10 and later
Created	09 August 2023 16:01:36
Last modified	12 May 2025 14:28:22
Scope tags	Default

Table 25. Basics - Win - OIB - ES - Windows LAPS - D - LAPS Configuration (24H2+) - v3.6

Name	Value
Backup Directory	Backup the password to Azure AD only
Password Age Days	7
Password Complexity	Passphrase (short words with unique prefixes)
Passphrase Length	4
Password Length	21
Post Authentication Actions	Reset the password, logoff the managed account, and terminate any remaining processes: upon expiration of the grace period, the managed account password is reset, any interactive logon sessions using the managed account are logged off, and any remaining processes are terminated.
Post Authentication Reset Delay	1
Automatic Account Management Enabled	The target account will be automatically managed
Automatic Account Management Name Or Prefix	Not configured
Automatic Account Management Target	Manage a new custom administrator account
Automatic Account Management Enable Account	The target account will be enabled
Automatic Account Management Randomize Name	The name of the target account will not use a random numeric suffix.

Table 26. Settings - Win - OIB - ES - Windows LAPS - D - LAPS Configuration (24H2+) - v3.6

Win - OIB - SC - Credential Management - D - Passwordless - v3.3

Name	Value
Basics
Name	Win - OIB - SC - Credential Management - D - Passwordless - v3.3
Description	NOTE: Applying this policy can cause issues with UAC and elevation if not using Windows LAPS and the built-in Administrator account.
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	10 April 2024 20:38:28
Last modified	05 December 2024 19:46:28
Scope tags	Default

Table 27. Basics - Win - OIB - SC - Credential Management - D - Passwordless - v3.3

Name	Value
Administrative Templates
Logon
Assign a default credential provider	Enabled
Assign the following credential provider as the default credential provider: (Device)	{D6886603-9D2F-4EB2-B667-1971041FA96B}
Authentication
Enable Passwordless Experience	Enabled. The Passwordless experience will be enabled on Windows
Enable Web Sign In	Enabled. Web Sign-in will be enabled for signing in to Windows

Table 28. Settings - Win - OIB - SC - Credential Management - D - Passwordless - v3.3

Win - OIB - SC - Defender Antivirus - D - Additional Configuration - v3.6

Name	Value
Basics
Name	Win - OIB - SC - Defender Antivirus - D - Additional Configuration - v3.6
Description	NOTE: Some of these settings require the device to be onboarded to Defender for Endpoint.
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	10 April 2024 20:38:15
Last modified	08 May 2025 15:15:08
Scope tags	Default

Table 29. Basics - Win - OIB - SC - Defender Antivirus - D - Additional Configuration - v3.6

Name	Value
Defender
Enable Convert Warn To Block	Warn verdicts are converted to block
Enable Dynamic Signature Dropped Event Reporting	Dynamic Security intelligence update events will be reported.
Enable File Hash Computation	Enable
Hide Exclusions From Local Admins	If you enable this setting, local admins will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
Hide Exclusions From Local Users	If you enable this setting, local users will no longer be able to see the exclusion list in Windows Security App or via PowerShell.
Intel TDT Enabled	If you configure this setting to enabled, Intel TDT integration will turn on.
Oobe Enable Rtp And Sig Update	If you enable this setting, real-time protection and Security Intelligence Updates are enabled during OOBE.
Passive Remediation	PASSIVEREMEDIATIONFLAGSENSEAUTOREMEDIATION: Passive Remediation Sense AutoRemediation
Quick Scan Include Exclusions	If you set this setting to 1, all files and directories that are excluded from real-time protection using contextual exclusions are scanned during a quick scan.
Support Log Location	%ProgramData%\Microsoft\IntuneManagementExtension\Logs

Table 30. Settings - Win - OIB - SC - Defender Antivirus - D - Additional Configuration - v3.6

Win - OIB - SC - Device Security - D - Administrator Protection - v3.5

Name	Value
Basics
Name	Win - OIB - SC - Device Security - D - Administrator Protection - v3.5
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	01 October 2024 16:27:29
Last modified	24 January 2025 12:22:11
Scope tags	Default

Table 31. Basics - Win - OIB - SC - Device Security - D - Administrator Protection - v3.5

Name	Value
Local Policies Security Options
User Account Control Behavior Of The Elevation Prompt For Administrator Protection (Windows Insiders only)	Prompt for credentials on the secure desktop
User Account Control Type Of Admin Approval Mode (Windows Insiders only)	Admin Approval Mode with Administrator protection

Table 32. Settings - Win - OIB - SC - Device Security - D - Administrator Protection - v3.5

Win - OIB - SC - Device Security - D - Audit and Event Logging - v3.1

Name	Value
Basics
Name	Win - OIB - SC - Device Security - D - Audit and Event Logging - v3.1
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	11 April 2024 19:37:59
Last modified	05 December 2024 19:41:00
Scope tags	Default

Table 33. Basics - Win - OIB - SC - Device Security - D - Audit and Event Logging - v3.1

Name	Value
Administrative Templates
Application
Control Event Log behavior when the log file reaches its maximum size	Disabled
Specify the maximum log file size (KB)	Enabled
Maximum Log Size (KB)	32768
Security
Control Event Log behavior when the log file reaches its maximum size	Disabled
Specify the maximum log file size (KB)	Enabled
Maximum Log Size (KB)	196608
Setup
Control Event Log behavior when the log file reaches its maximum size	Disabled
Specify the maximum log file size (KB)	Enabled
Maximum Log Size (KB) (Device)	32768
System
Control Event Log behavior when the log file reaches its maximum size	Disabled
Specify the maximum log file size (KB)	Enabled
Maximum Log Size (KB)	32768
Auditing
Account Logon Audit Credential Validation	Success+ Failure
Account Logon Logoff Audit Account Lockout	Failure
Account Logon Logoff Audit Group Membership	Success
Account Logon Logoff Audit Logoff	Success
Account Logon Logoff Audit Logon	Success+ Failure
Account Management Audit Application Group Management	Success+ Failure
Audit Authentication Policy Change	Success
Audit Authorization Policy Change	Success
Audit Changes to Audit Policy	Success
Audit File Share Access	Success+Failure
Audit Other Logon Logoff Events	Success+Failure
Audit Security Group Management	Success
Audit Security System Extension	Success
Audit Special Logon	Success
Audit User Account Management	Success+Failure
Detailed Tracking Audit PNP Activity	Success
Detailed Tracking Audit Process Creation	Success
Object Access Audit Detailed File Share	Failure
Object Access Audit Other Object Access Events	Success+ Failure
Object Access Audit Removable Storage	Success+ Failure
Policy Change Audit MPSSVC Rule Level Policy Change	Success+ Failure
Policy Change Audit Other Policy Change Events	Failure
Privilege Use Audit Sensitive Privilege Use	Success+ Failure
System Audit I Psec Driver	Success+ Failure
System Audit Other System Events	Success+ Failure
System Audit Security State Change	Success
System Audit System Integrity	Success+ Failure

Table 34. Settings - Win - OIB - SC - Device Security - D - Audit and Event Logging - v3.1

Win - OIB - SC - Device Security - D - Config Refresh - v3.2

Name	Value
Basics
Name	Win - OIB - SC - Device Security - D - Config Refresh - v3.2
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	08 May 2024 19:34:30
Last modified	05 December 2024 19:41:08
Scope tags	Default

Table 35. Basics - Win - OIB - SC - Device Security - D - Config Refresh - v3.2

Name	Value
Config Refresh
Provider ID	Not configured
Config refresh	Enabled.
Refresh cadence	30

Table 36. Settings - Win - OIB - SC - Device Security - D - Config Refresh - v3.2

Win - OIB - SC - Device Security - D - Enhanced Phishing Protection - v3.0

Name	Value
Basics
Name	Win - OIB - SC - Device Security - D - Enhanced Phishing Protection - v3.0
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	09 August 2023 16:01:21
Last modified	05 December 2024 19:41:14
Scope tags	Default

Table 37. Basics - Win - OIB - SC - Device Security - D - Enhanced Phishing Protection - v3.0

Name	Value
Smart Screen
Enhanced Phishing Protection
Notify Malicious	Enabled
Notify Password Reuse	Enabled
Notify Unsafe App	Enabled
Service Enabled	Enabled

Table 38. Settings - Win - OIB - SC - Device Security - D - Enhanced Phishing Protection - v3.0

Win - OIB - SC - Device Security - D - Local Security Policies - v3.0

Name	Value
Basics
Name	Win - OIB - SC - Device Security - D - Local Security Policies - v3.0
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	09 August 2023 16:01:22
Last modified	05 December 2024 19:42:06
Scope tags	Default

Table 39. Basics - Win - OIB - SC - Device Security - D - Local Security Policies - v3.0

Name	Value
Local Policies Security Options
Accounts Enable Administrator Account Status	Enable
Accounts Enable Guest Account Status	Disable
Accounts Limit Local Account Use Of Blank Passwords To Console Logon Only	Enabled
Interactive Logon Smart Card Removal Behavior	Lock Workstation
Microsoft Network Client Digitally Sign Communications Always	Enable
Microsoft Network Client Send Unencrypted Password To Third Party SMB Servers	Disable
Microsoft Network Server Digitally Sign Communications Always	Enable
Network Access Do Not Allow Anonymous Enumeration Of SAM Accounts	Enabled
Network Access Do Not Allow Anonymous Enumeration Of Sam Accounts And Shares	Enabled
Network Access Restrict Anonymous Access To Named Pipes And Shares	Enable
Network Access Restrict Clients Allowed To Make Remote Calls To SAM	O:BAG:BAD:(A;;RC;;;BA)
Network Security Do Not Store LAN Manager Hash Value On Next Password Change	Enable
Network Security LAN Manager Authentication Level	Send LM and NTLMv2 responses only. Refuse LM and NTLM
Network Security Minimum Session Security For NTLMSSP Based Clients	Require NTLM and 128-bit encryption
Network Security Minimum Session Security For NTLMSSP Based Servers	Require NTLM and 128-bit encryption
User Account Control Behavior Of The Elevation Prompt For Administrators	Prompt for consent on the secure desktop
User Account Control Behavior Of The Elevation Prompt For Standard Users	Prompt for credentials on the secure desktop
User Account Control Detect Application Installations And Prompt For Elevation	Enable
User Account Control Only Elevate UI Access Applications That Are Installed In Secure Locations	Enabled: Application runs with UIAccess integrity only if it resides in secure location.
User Account Control Run All Administrators In Admin Approval Mode	Enabled
User Account Control Switch To The Secure Desktop When Prompting For Elevation	Enabled
User Account Control Use Admin Approval Mode	Enable
User Account Control Virtualize File And Registry Write Failures To Per User Locations	Enabled

Table 40. Settings - Win - OIB - SC - Device Security - D - Local Security Policies - v3.0

Win - OIB - SC - Device Security - D - Local Security Policies (24H2+) - v3.6

Name	Value
Basics
Name	Win - OIB - SC - Device Security - D - Local Security Policies (24H2+) - v3.6
Description	NOTE: For 24H2+ devices only. Disables built-in Administrator account.
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	01 April 2025 15:02:22
Last modified	12 May 2025 14:28:34
Scope tags	Default

Table 41. Basics - Win - OIB - SC - Device Security - D - Local Security Policies (24H2+) - v3.6

Name	Value
Local Policies Security Options
Accounts Enable Administrator Account Status	Disable
Accounts Enable Guest Account Status	Disable
Accounts Limit Local Account Use Of Blank Passwords To Console Logon Only	Enabled
Interactive Logon Smart Card Removal Behavior	Lock Workstation
Microsoft Network Client Digitally Sign Communications Always	Enable
Microsoft Network Client Send Unencrypted Password To Third Party SMB Servers	Disable
Microsoft Network Server Digitally Sign Communications Always	Enable
Network Access Do Not Allow Anonymous Enumeration Of SAM Accounts	Enabled
Network Access Do Not Allow Anonymous Enumeration Of Sam Accounts And Shares	Enabled
Network Access Restrict Anonymous Access To Named Pipes And Shares	Enable
Network Access Restrict Clients Allowed To Make Remote Calls To SAM	O:BAG:BAD:(A;;RC;;;BA)
Network Security Do Not Store LAN Manager Hash Value On Next Password Change	Enable
Network Security LAN Manager Authentication Level	Send LM and NTLMv2 responses only. Refuse LM and NTLM
Network Security Minimum Session Security For NTLMSSP Based Clients	Require NTLM and 128-bit encryption
Network Security Minimum Session Security For NTLMSSP Based Servers	Require NTLM and 128-bit encryption
User Account Control Behavior Of The Elevation Prompt For Administrators	Prompt for consent on the secure desktop
User Account Control Behavior Of The Elevation Prompt For Standard Users	Prompt for credentials on the secure desktop
User Account Control Detect Application Installations And Prompt For Elevation	Enable
User Account Control Only Elevate UI Access Applications That Are Installed In Secure Locations	Enabled: Application runs with UIAccess integrity only if it resides in secure location.
User Account Control Run All Administrators In Admin Approval Mode	Enabled
User Account Control Switch To The Secure Desktop When Prompting For Elevation	Enabled
User Account Control Use Admin Approval Mode	Enable
User Account Control Virtualize File And Registry Write Failures To Per User Locations	Enabled

Table 42. Settings - Win - OIB - SC - Device Security - D - Local Security Policies (24H2+) - v3.6

Win - OIB - SC - Device Security - D - Location and Privacy - v3.2

Name	Value
Basics
Name	Win - OIB - SC - Device Security - D - Location and Privacy - v3.2
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	13 May 2025 11:53:01
Last modified	13 May 2025 11:53:01
Scope tags	Default

Table 43. Basics - Win - OIB - SC - Device Security - D - Location and Privacy - v3.2

Name	Value
Privacy
Let Apps Access Location	User in control.
Let Apps Access Location Force Allow These Apps	windows.immersivecontrolpanel_cw5n1h2txyewy;Microsoft.OutlookForWindows_8wekyb3d8bbwe
System
Allow Location	Location service is allowed. The user has control and can change Location Privacy settings on or off.

Table 44. Settings - Win - OIB - SC - Device Security - D - Location and Privacy - v3.2

Win - OIB - SC - Device Security - D - Login and Lock Screen - v3.1

Name	Value
Basics
Name	Win - OIB - SC - Device Security - D - Login and Lock Screen - v3.1
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	10 April 2024 20:38:02
Last modified	05 December 2024 19:42:22
Scope tags	Default

Name	Value
Above Lock
Allow Cortana Above Lock	Block
Allow Toasts	Block
Administrative Templates
Personalization
Prevent enabling lock screen camera	Enabled
Prevent enabling lock screen slide show	Enabled
Logon
Turn off app notifications on the lock screen	Enabled
Credential User Interface
Do not display the password reveal button	Enabled
Windows Logon Options
Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot	Enabled
Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot (Device)	Enabled if BitLocker is on and not suspended
Sign-in and lock last interactive user automatically after a restart	Enabled
Authentication
Allow Aad Password Reset	Allow
Privacy
Let Apps Activate With Voice Above Lock	Force deny. Windows apps cannot be activated by voice while the screen is locked, and users cannot change it.

Win - OIB - SC - Device Security - D - Remote Desktop Services and RPC - v3.0

Name	Value
Basics
Name	Win - OIB - SC - Device Security - D - Remote Desktop Services and RPC - v3.0
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	09 August 2023 16:01:24
Last modified	05 December 2024 19:42:29
Scope tags	Default

Table 47. Basics - Win - OIB - SC - Device Security - D - Remote Desktop Services and RPC - v3.0

Name	Value
Administrative Templates
Remote Procedure Call
Enable RPC Endpoint Mapper Client Authentication	Enabled
Restrict Unauthenticated RPC clients	Enabled
RPC Runtime Unauthenticated Client Restriction to Apply:	Authenticated
Remote Desktop Connection Client
Do not allow passwords to be saved	Enabled
Device and Resource Redirection
Do not allow drive redirection	Enabled
Security
Always prompt for password upon connection	Enabled
Require secure RPC communication	Enabled
Require use of specific security layer for remote (RDP) connections	Enabled
Security Layer (Device)	SSL
Require user authentication for remote connections by using Network Level Authentication	Enabled
Set client connection encryption level	Enabled
Encryption Level	High Level

Table 48. Settings - Win - OIB - SC - Device Security - D - Remote Desktop Services and RPC - v3.0

Win - OIB - SC - Device Security - D - Script File Associations - v3.4

Name	Value
Basics
Name	Win - OIB - SC - Device Security - D - Script File Associations - v3.4
Description	WARNING: Deploying will break running any PowerShell scripts from Intune in the User context. Amend policy if this functionality is required.
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	06 November 2024 02:08:11
Last modified	05 December 2024 19:42:37
Scope tags	Default

Table 49. Basics - Win - OIB - SC - Device Security - D - Script File Associations - v3.4

Name	Value
Application Defaults
Default Associations Configuration	PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4NCjxEZWZhdWx0QXNzb2NpYXRpb25zPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmFwcHgiIFByb2dJZD0iQXBwbGljYXRpb25zXG5vdGVwYWQuZXhlIiBBcHBsaWNhdGlvbk5hbWU9Ik5vdGVwYWQiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuYmF0IiBQcm9nSWQ9IkFwcGxpY2F0aW9uc1xub3RlcGFkLmV4ZSIgQXBwbGljYXRpb25OYW1lPSJOb3RlcGFkIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmNhYiIgUHJvZ0lkPSJBcHBsaWNhdGlvbnNcbm90ZXBhZC5leGUiIEFwcGxpY2F0aW9uTmFtZT0iTm90ZXBhZCIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Ii5jb20iIFByb2dJZD0iQXBwbGljYXRpb25zXG5vdGVwYWQuZXhlIiBBcHBsaWNhdGlvbk5hbWU9Ik5vdGVwYWQiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuY21kIiBQcm9nSWQ9IkFwcGxpY2F0aW9uc1xub3RlcGFkLmV4ZSIgQXBwbGljYXRpb25OYW1lPSJOb3RlcGFkIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLmh0YSIgUHJvZ0lkPSJBcHBsaWNhdGlvbnNcbm90ZXBhZC5leGUiIEFwcGxpY2F0aW9uTmFtZT0iTm90ZXBhZCIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Ii5qcyIgUHJvZ0lkPSJBcHBsaWNhdGlvbnNcbm90ZXBhZC5leGUiIEFwcGxpY2F0aW9uTmFtZT0iTm90ZXBhZCIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Ii5qc2UiIFByb2dJZD0iQXBwbGljYXRpb25zXG5vdGVwYWQuZXhlIiBBcHBsaWNhdGlvbk5hbWU9Ik5vdGVwYWQiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIucHMxIiBQcm9nSWQ9IkFwcGxpY2F0aW9uc1xub3RlcGFkLmV4ZSIgQXBwbGljYXRpb25OYW1lPSJOb3RlcGFkIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLnBzMW0iIFByb2dJZD0iQXBwbGljYXRpb25zXG5vdGVwYWQuZXhlIiBBcHBsaWNhdGlvbk5hbWU9Ik5vdGVwYWQiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIuc2N0IiBQcm9nSWQ9IkFwcGxpY2F0aW9uc1xub3RlcGFkLmV4ZSIgQXBwbGljYXRpb25OYW1lPSJOb3RlcGFkIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLnNoYiIgUHJvZ0lkPSJBcHBsaWNhdGlvbnNcbm90ZXBhZC5leGUiIEFwcGxpY2F0aW9uTmFtZT0iTm90ZXBhZCIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Ii5zaHMiIFByb2dJZD0iQXBwbGljYXRpb25zXG5vdGVwYWQuZXhlIiBBcHBsaWNhdGlvbk5hbWU9Ik5vdGVwYWQiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIud3NmIiBQcm9nSWQ9IkFwcGxpY2F0aW9uc1xub3RlcGFkLmV4ZSIgQXBwbGljYXRpb25OYW1lPSJOb3RlcGFkIiAvPg0KICA8QXNzb2NpYXRpb24gSWRlbnRpZmllcj0iLndzaCIgUHJvZ0lkPSJBcHBsaWNhdGlvbnNcbm90ZXBhZC5leGUiIEFwcGxpY2F0aW9uTmFtZT0iTm90ZXBhZCIgLz4NCiAgPEFzc29jaWF0aW9uIElkZW50aWZpZXI9Ii52YmUiIFByb2dJZD0iQXBwbGljYXRpb25zXG5vdGVwYWQuZXhlIiBBcHBsaWNhdGlvbk5hbWU9Ik5vdGVwYWQiIC8+DQogIDxBc3NvY2lhdGlvbiBJZGVudGlmaWVyPSIudmJzIiBQcm9nSWQ9IkFwcGxpY2F0aW9uc1xub3RlcGFkLmV4ZSIgQXBwbGljYXRpb25OYW1lPSJOb3RlcGFkIiAvPg0KPC9EZWZhdWx0QXNzb2NpYXRpb25zPg==

Table 50. Settings - Win - OIB - SC - Device Security - D - Script File Associations - v3.4

Win - OIB - SC - Device Security - D - Security Hardening - v3.6

Name	Value
Basics
Name	Win - OIB - SC - Device Security - D - Security Hardening - v3.6
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	20 October 2024 20:56:16
Last modified	24 April 2025 12:50:04
Scope tags	Default

Table 51. Basics - Win - OIB - SC - Device Security - D - Security Hardening - v3.6

Name	Value
Administrative Templates
MS Security Guide
Apply UAC restrictions to local accounts on network logons	Enabled
Configure SMB v1 client driver	Enabled
Configure MrxSmb10 driver	Disable driver (recommended)
Configure SMB v1 server	Disabled
Enable Structured Exception Handling Overwrite Protection (SEHOP)	Enabled
WDigest Authentication (disabling may require KB2871997)	Disabled
MSS (Legacy)
MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing)	Enabled
DisableIPSourceRoutingIPv6 (Device)	Highest protection, source routing is completely disabled
MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing)	Enabled
DisableIPSourceRouting (Device)	Highest protection, source routing is completely disabled
MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes	Disabled
MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers	Enabled
MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended)	Enabled
ScreenSaverGracePeriod (Device)	0
Network Connections
Prohibit installation and configuration of Network Bridge on your DNS domain network	Enabled
Require domain users to elevate when setting a network's location	Enabled
Windows Connection Manager
Minimize the number of simultaneous connections to the Internet or a Windows Domain	Enabled
Minimize Policy Options (Device)	3 = Prevent Wi-Fi when on Ethernet
Prohibit connection to non-domain networks when connected to domain authenticated network	Enabled
Printers
Allow Print Spooler to accept client connections	Disabled
Limits print driver installation to Administrators	Enabled
Point and Print Restrictions	Enabled
Enter fully qualified server names separated by semicolons (Device)	Not configured
Users can only point and print to machines in their forest (Device)	False
Users can only point and print to these servers: (Device)	True
When installing drivers for a new connection: (Device)	Show warning and elevation prompt
When updating drivers for an existing connection: (Device)	Show warning and elevation prompt
Credentials Delegation
Encryption Oracle Remediation	Enabled
Protection Level: (Device)	Force Updated Clients
Remote host allows delegation of non-exportable credentials	Enabled
Early Launch Antimalware
Boot-Start Driver Initialization Policy	Enabled
Choose the boot-start drivers that can be initialized:	Good, unknown and bad but critical
Internet Communication settings
Turn off downloading of print drivers over HTTP	Enabled
Turn off Internet download for Web publishing and online ordering wizards	Enabled
Remote Assistance
Configure Offer Remote Assistance	Disabled
Configure Solicited Remote Assistance	Disabled
AutoPlay Policies
Disallow Autoplay for non-volume devices	Enabled
Set the default behavior for AutoRun	Enabled
Default AutoRun Behavior	Do not execute any autorun commands
Turn off Autoplay	Enabled
Turn off Autoplay on:	All drives
Credential User Interface
Enumerate administrator accounts on elevation	Disabled
File Explorer
Configure Windows Defender SmartScreen	Enabled
Pick one of the following settings: (Device)	Warn and prevent bypass
Turn off Data Execution Prevention for Explorer	Disabled
Turn off heap termination on corruption	Disabled
HomeGroup
Prevent the computer from joining a homegroup	Enabled
Push To Install
Turn off Push To Install service	Enabled
RSS Feeds
Prevent downloading of enclosures	Enabled
Windows Error Reporting
Disable Windows Error Reporting	Disabled
Windows PowerShell
Turn on PowerShell Script Block Logging	Enabled
Log script block invocation start / stop events:	False
WinRM Client
Allow Basic authentication	Disabled
Allow unencrypted traffic	Disabled
Disallow Digest authentication	Enabled
WinRM Service
Allow Basic authentication	Disabled
Allow unencrypted traffic	Disabled
Disallow WinRM from storing RunAs credentials	Enabled
Connectivity
Allow Phone PC Linking	Block
Data Protection
Allow Direct Memory Access	Block
Experience
Allow Cortana	Block
Allow Manual MDM Unenrollment	Block
Games
Allow Advanced Gaming Services	Block
Kerberos
PK Init Hash Algorithm Configuration	Enabled
PK Init Hash Algorithm SHA1	Not Supported
PK Init Hash Algorithm SHA256	Default
PK Init Hash Algorithm SHA384	Default
PK Init Hash Algorithm SHA512	Default
Lanman Server
Audit Client Does Not Support Encryption	Enabled
Audit Client Does Not Support Signing	Enabled
Audit Insecure Guest Logon	Enabled
Auth Rate Limiter Delay In Ms	2000
Enable Auth Rate Limiter	Enabled
Enable Mailslots	Disabled
Max Smb2 Dialect	SMB 3.1.1
Min Smb2 Dialect	SMB 3.0.0
Lanman Workstation
Audit Insecure Guest Logon	Enabled
Audit Server Does Not Support Encryption	Enabled
Audit Server Does Not Support Signing	Enabled
Enable Insecure Guest Logons	Disabled
Enable Mailslots	Disabled
Max Smb2 Dialect	SMB 3.1.1
Min Smb2 Dialect	SMB 3.0.0
Require Encryption	Disabled
Privacy
Disable Privacy Experience	Enabled
Security
Allow Add Provisioning Package	Block
Allow Remove Provisioning Package	Block
Require Retrieve Health Certificate On Boot	Required.
Settings
Page Visibility List	hide:gaming-gamebar;gaming-gamedvr;gaming-broadcasting;gaming-gamemode;gaming-xboxnetworking
Sudo
Enable Sudo	Sudo is disabled.
System Services
Configure Xbox Accessory Management Service Startup Mode	Disabled
Configure Xbox Live Auth Manager Service Startup Mode	Disabled
Configure Xbox Live Game Save Service Startup Mode	Disabled
Configure Xbox Live Networking Service Startup Mode	Disabled
Task Scheduler
Enable Xbox Game Save Task	Disabled
Wi-Fi Settings
Allow Auto Connect To Wi Fi Sense Hotspots	Block
Allow Internet Sharing	Block
Windows Ink Workspace
Allow Windows Ink Workspace	ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen.
Wireless Display
Allow Projection From PC	Your PC can discover and project to other devices.
Allow Projection To PC	Projection to PC is not allowed. Always off and the user cannot enable it.
Require Pin For Pairing	Pairing ceremony for new devices will always require a PIN

Table 52. Settings - Win - OIB - SC - Device Security - D - Security Hardening - v3.6

Win - OIB - SC - Device Security - D - Timezone - v3.4

Name	Value
Basics
Name	Win - OIB - SC - Device Security - D - Timezone - v3.4
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	10 April 2024 20:37:35
Last modified	22 January 2025 12:11:38
Scope tags	Default

Table 53. Basics - Win - OIB - SC - Device Security - D - Timezone - v3.4

Name	Value
Administrative Templates
Time Providers
Configure Windows NTP Client	Enabled
CrossSiteSyncFlags (Device)	2
EventLogFlags (Device)	3
NtpServer (Device)	time.windows.com
ResolvePeerBackoffMaxTimes (Device)	7
ResolvePeerBackoffMinutes (Device)	15
SpecialPollInterval (Device)	1024
Type (Device)	AllSync
Enable Windows NTP Client	Enabled
User Rights
Change Time Zone	`S-1-5-19;`S-1-5-32-544;`*S-1-5-32-545

Table 54. Settings - Win - OIB - SC - Device Security - D - Timezone - v3.4

Win - OIB - SC - Device Security - D - User Rights - v3.5

Name	Value
Basics
Name	Win - OIB - SC - Device Security - D - User Rights - v3.5
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	10 April 2024 20:37:21
Last modified	14 February 2025 18:11:36
Scope tags	Default

Table 55. Basics - Win - OIB - SC - Device Security - D - User Rights - v3.5

Name	Value
User Rights
Access From Network	`S-1-5-32-544;`S-1-5-32-555
Allow Local Log On	`S-1-5-32-544;`S-1-5-32-545
Backup Files And Directories	`*S-1-5-32-544
Change System Time	`S-1-5-19;`S-1-5-32-544
Create Global Objects	`S-1-5-6;`S-1-5-19;`S-1-5-20;`S-1-5-32-544
Create Page File	`*S-1-5-32-544
Create Symbolic Links	`*S-1-5-32-544
Debug Programs	`*S-1-5-32-544
Deny Access From Network	`S-1-2-0;`S-1-5-32-546
Deny Local Log On	`*S-1-5-32-546
Deny Remote Desktop Services Log On	`*S-1-5-32-546
Generate Security Audits	`S-1-5-19;`S-1-5-20
Impersonate Client	`S-1-5-6;`S-1-5-19;`S-1-5-20;`S-1-5-32-544
Increase Scheduling Priority	`S-1-5-32-544;`S-1-5-90
Load Unload Device Drivers	`*S-1-5-32-544
Manage Auditing And Security Log	`*S-1-5-32-544
Manage Volume	`*S-1-5-32-544
Modify Firmware Environment	`*S-1-5-32-544
Profile Single Process	`*S-1-5-32-544
Remote Shutdown	`*S-1-5-32-544
Restore Files And Directories	`*S-1-5-32-544
Take Ownership	`*S-1-5-32-544

Table 56. Settings - Win - OIB - SC - Device Security - D - User Rights - v3.5

Win - OIB - SC - Device Security - D - Windows Package Manager - v3.5

Name	Value
Basics
Name	Win - OIB - SC - Device Security - D - Windows Package Manager - v3.5
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	14 February 2025 11:25:53
Last modified	14 February 2025 11:51:46
Scope tags	Default

Table 57. Basics - Win - OIB - SC - Device Security - D - Windows Package Manager - v3.5

Name	Value
Administrative Templates
Desktop App Installer
Enable App Installer Experimental Features	Disabled
Enable App Installer Hash Override	Disabled
Enable App Installer Local Manifest Files	Disabled
Enable App Installer ms-appinstaller protocol	Disabled
Enable App Installer Settings	Disabled

Table 58. Settings - Win - OIB - SC - Device Security - D - Windows Package Manager - v3.5

Win - OIB - SC - Device Security - D - Windows Subsystem for Linux - v3.2

Name	Value
Basics
Name	Win - OIB - SC - Device Security - D - Windows Subsystem for Linux - v3.2
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	10 April 2024 20:37:07
Last modified	05 December 2024 19:49:47
Scope tags	Default

Table 59. Basics - Win - OIB - SC - Device Security - D - Windows Subsystem for Linux - v3.2

Name	Value
Windows Subsystem For Linux
Allow custom kernel configuration	Disabled
Allow custom networking configuration	Disabled
Allow custom system distribution configuration	Disabled
Allow kernel command line configuration	Disabled
Allow kernel debugging	Disabled
Allow nested virtualization	Disabled
Allow the debug shell	Disabled
Allow the Inbox version of the Windows Subsystem For Linux	Disabled
Allow user setting firewall configuration	Disabled
Allow WSL1	Disabled

Table 60. Settings - Win - OIB - SC - Device Security - D - Windows Subsystem for Linux - v3.2

Win - OIB - SC - Device Security - U - Device Guard, Credential Guard and HVCI - v3.5

Name	Value
Basics
Name	Win - OIB - SC - Device Security - U - Device Guard, Credential Guard and HVCI - v3.5
Description	WARNING: Applying this policy to Devices will cause a reboot between Device and User ESP phases! NOTE: These features are automatically enabled on a fresh Win11 22H2 or above install, however they require Windows Enterprise to function correctly. They also require hardware support: https://learn.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	10 April 2024 20:36:52
Last modified	14 February 2025 11:21:18
Scope tags	Default

Table 61. Basics - Win - OIB - SC - Device Security - U - Device Guard, Credential Guard and HVCI - v3.5

Name	Value
Device Guard
Configure System Guard Launch	Unmanaged Enables Secure Launch if supported by hardware
Credential Guard	(Enabled without lock) Turns on Credential Guard without UEFI lock.
Enable Virtualization Based Security	enable virtualization based security.
Machine Identity Isolation	(Disabled) Machine password is only LSASS-bound and stored in `$MACHINE.ACC registry key.
Require Platform Security Features	Turns on VBS with Secure Boot and direct memory access (DMA). DMA requires hardware support.
Local Security Authority
Configure Lsa Protected Process	Enabled without UEFI lock. LSA will run as protected process and this configuration is not UEFI locked.
Virtualization Based Technology
Hypervisor Enforced Code Integrity	(Enabled without lock) Turns on Hypervisor-Protected Code Integrity without UEFI lock.
Require UEFI Memory Attributes Table	Require UEFI Memory Attributes Table

Table 62. Settings - Win - OIB - SC - Device Security - U - Device Guard, Credential Guard and HVCI - v3.5

Win - OIB - SC - Device Security - U - Power and Device Lock - v3.6

Name	Value
Basics
Name	Win - OIB - SC - Device Security - U - Power and Device Lock - v3.6
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	18 July 2024 13:00:44
Last modified	13 May 2025 11:45:27
Scope tags	Default

Table 63. Basics - Win - OIB - SC - Device Security - U - Power and Device Lock - v3.6

Name	Value
Administrative Templates
Sleep Settings
Require a password when a computer wakes (on battery)	Enabled
Require a password when a computer wakes (plugged in)	Enabled
Specify the system sleep timeout (on battery)	Enabled
System Sleep Timeout (seconds):	600
Specify the system sleep timeout (plugged in)	Enabled
System Sleep Timeout (seconds):	900
Video and Display Settings
Turn off the display (on battery)	Enabled
On battery power, turn display off after (seconds)	300
Turn off the display (plugged in)	Enabled
When plugged in, turn display off after (seconds)	600
Power
Unattended Sleep Timeout On Battery	600
Unattended Sleep Timeout Plugged In	900

Table 64. Settings - Win - OIB - SC - Device Security - U - Power and Device Lock - v3.6

Win - OIB - SC - Device Security - U - Windows Sandbox - v3.4

Name	Value
Basics
Name	Win - OIB - SC - Device Security - U - Windows Sandbox - v3.4
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	16 September 2024 19:16:30
Last modified	05 December 2024 19:51:01
Scope tags	Default

Table 65. Basics - Win - OIB - SC - Device Security - U - Windows Sandbox - v3.4

Name	Value
Windows Sandbox
Allow Audio Input	Not allowed.
Allow Clipboard Redirection	Allowed.
Allow Networking	Not allowed.
Allow Printer Redirection	Not allowed.
Allow VGPU	Not allowed.
Allow Video Input	Not allowed.

Table 66. Settings - Win - OIB - SC - Device Security - U - Windows Sandbox - v3.4

Win - OIB - SC - Device Security - U - Windows Spotlight and Org Messages - v3.0

Name	Value
Basics
Name	Win - OIB - SC - Device Security - U - Windows Spotlight and Org Messages - v3.0
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	09 August 2023 16:01:27
Last modified	30 April 2025 10:11:17
Scope tags	Default

Table 67. Basics - Win - OIB - SC - Device Security - U - Windows Spotlight and Org Messages - v3.0

Name	Value
Experience
Allow Spotlight Collection (User)	0
Allow Windows Spotlight (User)	Allow
Allow Tailored Experiences With Diagnostic Data (User)	Allow
Allow Third Party Suggestions In Windows Spotlight (User)	Block
Allow Windows Consumer Features	Block
Allow Windows Spotlight On Action Center (User)	Allow
Allow Windows Spotlight Windows Welcome Experience (User)	Block
Allow Windows Tips	Allow
Configure Windows Spotlight On Lock Screen (User)	Windows spotlight enabled.
Allow Windows Spotlight On Settings (User)	Block
Disable Cloud Optimized Content	Disabled
Enable delivery of organizational messages (User)	Enabled

Table 68. Settings - Win - OIB - SC - Device Security - U - Windows Spotlight and Org Messages - v3.0

Win - OIB - SC - Google Chrome - D - Security - v3.0 (Deprecated)

Name	Value
Basics
Name	Win - OIB - SC - Google Chrome - D - Security - v3.0 (Deprecated)
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	09 August 2023 16:01:31
Last modified	05 December 2024 20:09:18
Scope tags	Default

Table 69. Basics - Win - OIB - SC - Google Chrome - D - Security - v3.0 (Deprecated)

Name	Value
Google
Google Chrome
Abusive Experience Intervention Enforce	Enabled
Ads setting for sites with intrusive ads	Enabled
Ads setting for sites with intrusive ads (Device)	Do not allow ads on sites with intrusive ads
Allow download restrictions	Enabled
Download restrictions (Device)	Block malicious downloads. Recommended.
Allow proceeding from the SSL warning page	Disabled
Allow queries to a Google time service	Disabled
Allow websites to query for available payment methods.	Disabled
Always Open PDF files externally	Enabled
Block access to a list of URLs	Enabled
Block access to a list of URLs (Device)	chrome://flags;chrome://netinternals;chrome://tracing
Block third party cookies	Enabled
Browser experiments icon in toolbar	Disabled
Clear Browsing Data on Exit	Disabled
Continue running background apps when Google Chrome is closed	Disabled
Determine the availability of variations	Disabled
Disable Certificate Transparency enforcement for a list of Legacy Certificate Authorities	Disabled
Disable Certificate Transparency enforcement for a list of subjectPublicKeyInfo hashes	Disabled
Disable proceeding from the Safe Browsing warning page	Enabled
Enable AutoFill for addresses	Disabled
Enable AutoFill for credit cards	Disabled
Enable component updates in Google Chrome	Enabled
Enable deleting browser and download history	Disabled
Enable desktop sharing in the omnibox and 3-dot menu	Disabled
Enable Renderer Code Integrity	Enabled
Enable showing full-tab promotional content	Disabled
Enable the Click to Call Feature	Disabled
Enable the Shared Clipboard Feature	Disabled
Enable warnings for insecure forms	Enabled
Enables experimental policies	Disabled
Force Google SafeSearch	Enabled
Hide the web store from the New Tab Page and app launcher	Enabled
Import autofill form data from default browser on first run	Disabled
Import browsing history from default browser on first run	Disabled
Import of homepage from default browser on first run	Disabled
Import saved passwords from default browser on first run	Disabled
Import search engines from default browser on first run	Disabled
Minimum SSL version enabled	Enabled
Minimum SSL version enabled (Device)	TLS 1.2
Notify a user that a browser relaunch or device restart is recommended or required	Enabled
Notify a user that a browser relaunch or device restart is recommended or required (Device)	Show a recurring prompt to the user indicating that a relaunch is required
Set Google Chrome as Default Browser	Disabled
Show the apps shortcut in the bookmark bar	Disabled
Suppress lookalike domain warnings on domains	Disabled
Suppress the unsupported OS warning	Disabled
Extensions
Blocks external extensions from being installed	Enabled
Google Cast
Enable Google Cast	Disabled
HTTP authentication
Cross-origin HTTP Authentication prompts	Disabled
Supported authentication schemes	Enabled
Supported authentication schemes (Device)	ntlm,negotiate
Native Messaging
Allow user-level Native Messaging hosts (installed without admin permissions)	Disabled
Password manager
Enable saving passwords to the password manager	Disabled
Remote access
Allow remote access connections to this machine	Disabled
Allow remote support connections to this machine	Disabled
Safe Browsing settings
Safe Browsing Protection Level	Enabled
Safe Browsing Protection Level (Device)	Safe Browsing is active in the standard mode.

Table 70. Settings - Win - OIB - SC - Google Chrome - D - Security - v3.0 (Deprecated)

Win - OIB - SC - Google Chrome - U - Experience and Extensions - v3.0 (Deprecated)

Name	Value
Basics
Name	Win - OIB - SC - Google Chrome - U - Experience and Extensions - v3.0 (Deprecated)
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	09 August 2023 16:01:32
Last modified	05 December 2024 20:09:34
Scope tags	Default

Table 71. Basics - Win - OIB - SC - Google Chrome - U - Experience and Extensions - v3.0 (Deprecated)

Name	Value
Google
Extensions
Blocks external extensions from being installed (User)	Enabled
Configure extension installation allow list (User)	Enabled
Extension IDs to exempt from the blocklist (User)	ppnbnpeolgkicgegkbkbjmhlideopiji;ggjhpefgjjfobnfoldnjipclpcfbgbhl;lfmemoeeciijgkjkgbgikoonlkabmlno;gpaiobkfhnonedkhhfjpmhdalgeoebfa
Configure extension installation blocklist (User)	Enabled
Extension IDs the user should be prevented from installing (or `* for all) (User)	`*
Configure the list of force-installed apps and extensions (User)	Enabled
Extension/App IDs and update URLs to be silently installed (User)	ppnbnpeolgkicgegkbkbjmhlideopiji;https://clients2.google.com/service/update2/crx
Startup Home page and New Tab page
Action on startup (User)	Enabled
Action on startup (User)	Restore the last session
Show Home button on toolbar (User)	Enabled

Table 72. Settings - Win - OIB - SC - Google Chrome - U - Experience and Extensions - v3.0 (Deprecated)

Win - OIB - SC - Google Chrome - U - Profiles, Sign-In and Sync - v3.0 (Deprecated)

Name	Value
Basics
Name	Win - OIB - SC - Google Chrome - U - Profiles, Sign-In and Sync - v3.0 (Deprecated)
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	09 August 2023 16:01:32
Last modified	05 December 2024 20:09:49
Scope tags	Default

Name	Value
Google
Google Chrome
Browser sign in settings (User)	Enabled
Browser sign in settings (User)	Disable browser sign-in
Disable synchronization of data with Google (User)	Enabled
Enable add person in user manager (User)	Disabled
Enable guest mode in browser (User)	Disabled
Enable the creation of roaming copies for Google Chrome profile data (User)	Disabled
Ephemeral profile (User)	Disabled
Profile picker availability on startup (User)	Disabled
Restrict which Google accounts are allowed to be set as browser primary accounts in Google Chrome (User)	Disabled

Win - OIB - SC - Internet Explorer (Legacy) - D - Security - v3.1.1

Name	Value
Basics
Name	Win - OIB - SC - Internet Explorer (Legacy) - D - Security - v3.1.1
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	10 April 2024 21:01:43
Last modified	05 December 2024 20:10:18
Scope tags	Default

Table 75. Basics - Win - OIB - SC - Internet Explorer (Legacy) - D - Security - v3.1.1

Name	Value
Administrative Templates
Advanced Page
Allow software to run or install even if the signature is invalid	Disabled
Check for server certificate revocation	Enabled
Check for signatures on downloaded programs	Enabled
Do not allow ActiveX controls to run in Protected Mode when Enhanced Protected Mode is enabled	Enabled
Turn off encryption support	Enabled
Secure Protocol combinations	Only use TLS 1.2
Turn on 64-bit tab processes when running in Enhanced Protected Mode on 64-bit versions of Windows	Enabled
Turn on Enhanced Protected Mode	Enabled
Internet Control Panel
Prevent ignoring certificate errors	Enabled
Internet Zone
Access data sources across domains	Enabled
Access data sources across domains	Disable
Allow cut, copy or paste operations from the clipboard via script	Enabled
Allow paste operations via script	Disable
Allow drag and drop or copy and paste files	Enabled
Allow drag and drop or copy and paste files	Disable
Allow loading of XAML files	Enabled
XAML Files	Disable
Allow only approved domains to use ActiveX controls without prompt	Enabled
Only allow approved domains to use ActiveX controls without prompt	Enable
Allow only approved domains to use the TDC ActiveX control	Enabled
Only allow approved domains to use the TDC ActiveX control	Enable
Allow script-initiated windows without size or position constraints	Enabled
Allow script-initiated windows without size or position constraints	Disable
Allow scripting of Internet Explorer WebBrowser controls	Enabled
Internet Explorer web browser control	Disable
Allow scriptlets	Enabled
Scriptlets	Disable
Allow updates to status bar via script	Enabled
Status bar updates via script	Disable
Allow VBScript to run in Internet Explorer	Enabled
Allow VBScript to run in Internet Explorer	Disable
Automatic prompting for file downloads	Enabled
Automatic prompting for file downloads	Disable
Don't run antimalware programs against ActiveX controls	Enabled
Don't run antimalware programs against ActiveX controls	Disable
Download signed ActiveX controls	Enabled
Download signed ActiveX controls	Disable
Download unsigned ActiveX controls	Enabled
Download unsigned ActiveX controls	Disable
Enable dragging of content from different domains across windows	Enabled
Enable dragging of content from different domains across windows	Disable
Enable dragging of content from different domains within a window	Enabled
Enable dragging of content from different domains within a window	Disable
Include local path when user is uploading files to a server	Enabled
Include local directory path when uploading files to a server	Disable
Initialize and script ActiveX controls not marked as safe	Enabled
Initialize and script ActiveX controls not marked as safe	Disable
Java permissions	Enabled
Java permissions	Disable Java
Launching applications and files in an IFRAME	Enabled
Launching applications and files in an IFRAME	Disable
Logon options	Enabled
Logon options	Prompt for user name and password
Navigate windows and frames across different domains	Enabled
Navigate windows and frames across different domains	Disable
Run .NET Framework-reliant components not signed with Authenticode	Enabled
Run .NET Framework-reliant components not signed with Authenticode	Disable
Run .NET Framework-reliant components signed with Authenticode	Enabled
Run .NET Framework-reliant components signed with Authenticode	Disable
Show security warning for potentially unsafe files	Enabled
Launching programs and unsafe files	Prompt
Turn on Cross-Site Scripting Filter	Enabled
Turn on Cross-Site Scripting (XSS) Filter	Enable
Turn on Protected Mode	Enabled
Protected Mode	Enable
Turn on SmartScreen Filter scan	Enabled
Use SmartScreen Filter	Enable
Use Pop-up Blocker	Enabled
Use Pop-up Blocker	Enable
Userdata persistence	Enabled
Userdata persistence	Disable
Web sites in less privileged Web content zones can navigate into this zone	Enabled
Web sites in less privileged Web content zones can navigate into this zone	Disable
Security Page
Intranet Sites: Include all network paths (UNCs)	Disabled
Turn on certificate address mismatch warning	Enabled
Intranet Zone
Don't run antimalware programs against ActiveX controls	Enabled
Don't run antimalware programs against ActiveX controls	Disable
Initialize and script ActiveX controls not marked as safe	Enabled
Initialize and script ActiveX controls not marked as safe	Disable
Java permissions	Enabled
Java permissions	High safety
Local Machine Zone
Don't run antimalware programs against ActiveX controls	Enabled
Don't run antimalware programs against ActiveX controls	Disable
Java permissions	Enabled
Java permissions	Disable Java
Locked-Down Internet Zone
Turn on SmartScreen Filter scan	Enabled
Use SmartScreen Filter	Enable
Locked-Down Intranet Zone
Java permissions	Enabled
Java permissions	Disable Java
Locked-Down Local Machine Zone
Java permissions	Enabled
Java permissions	Disable Java
Locked-Down Restricted Sites Zone
Java permissions	Enabled
Java permissions	Disable Java
Turn on SmartScreen Filter scan	Enabled
Use SmartScreen Filter	Enable
Locked-Down Trusted Sites Zone
Java permissions	Enabled
Java permissions	Disable Java
Restricted Sites Zone
Access data sources across domains	Enabled
Access data sources across domains	Disable
Allow active scripting	Enabled
Allow active scripting	Disable
Allow binary and script behaviors	Enabled
Allow Binary and Script Behaviors	Disable
Allow cut, copy or paste operations from the clipboard via script	Enabled
Allow paste operations via script	Disable
Allow drag and drop or copy and paste files	Enabled
Allow drag and drop or copy and paste files	Disable
Allow file downloads	Enabled
Allow file downloads	Disable
Allow loading of XAML files	Enabled
XAML Files	Disable
Allow META REFRESH	Enabled
Allow META REFRESH	Disable
Allow only approved domains to use ActiveX controls without prompt	Enabled
Only allow approved domains to use ActiveX controls without prompt	Enable
Allow only approved domains to use the TDC ActiveX control	Enabled
Only allow approved domains to use the TDC ActiveX control	Enable
Allow script-initiated windows without size or position constraints	Enabled
Allow script-initiated windows without size or position constraints	Disable
Allow scripting of Internet Explorer WebBrowser controls	Enabled
Internet Explorer web browser control	Disable
Allow scriptlets	Enabled
Scriptlets	Disable
Allow updates to status bar via script	Enabled
Status bar updates via script	Disable
Allow VBScript to run in Internet Explorer	Enabled
Allow VBScript to run in Internet Explorer	Disable
Automatic prompting for file downloads	Enabled
Automatic prompting for file downloads	Disable
Don't run antimalware programs against ActiveX controls	Enabled
Don't run antimalware programs against ActiveX controls	Disable
Download signed ActiveX controls	Enabled
Download signed ActiveX controls	Disable
Download unsigned ActiveX controls	Enabled
Download unsigned ActiveX controls	Disable
Enable dragging of content from different domains across windows	Enabled
Enable dragging of content from different domains across windows	Disable
Enable dragging of content from different domains within a window	Enabled
Enable dragging of content from different domains within a window	Disable
Enable MIME Sniffing	Enabled
Enable MIME Sniffing	Disable
Include local path when user is uploading files to a server	Enabled
Include local directory path when uploading files to a server	Disable
Initialize and script ActiveX controls not marked as safe	Enabled
Initialize and script ActiveX controls not marked as safe	Disable
Java permissions	Enabled
Java permissions	Disable Java
Launching applications and files in an IFRAME	Enabled
Launching applications and files in an IFRAME	Disable
Logon options	Enabled
Logon options	Anonymous logon
Navigate windows and frames across different domains	Enabled
Navigate windows and frames across different domains	Disable
Run .NET Framework-reliant components not signed with Authenticode	Enabled
Run .NET Framework-reliant components not signed with Authenticode	Disable
Run .NET Framework-reliant components signed with Authenticode	Enabled
Run .NET Framework-reliant components signed with Authenticode	Disable
Run ActiveX controls and plugins	Enabled
Run ActiveX controls and plugins	Disable
Script ActiveX controls marked safe for scripting	Enabled
Script ActiveX controls marked safe for scripting	Disable
Scripting of Java applets	Enabled
Scripting of Java applets	Disable
Show security warning for potentially unsafe files	Enabled
Launching programs and unsafe files	Disable
Turn on Cross-Site Scripting Filter	Enabled
Turn on Cross-Site Scripting (XSS) Filter	Enable
Turn on Protected Mode	Enabled
Protected Mode	Enable
Turn on SmartScreen Filter scan	Enabled
Use SmartScreen Filter	Enable
Use Pop-up Blocker	Enabled
Use Pop-up Blocker	Enable
Userdata persistence	Enabled
Userdata persistence	Disable
Web sites in less privileged Web content zones can navigate into this zone	Enabled
Web sites in less privileged Web content zones can navigate into this zone	Disable
Trusted Sites Zone
Don't run antimalware programs against ActiveX controls	Enabled
Don't run antimalware programs against ActiveX controls	Disable
Initialize and script ActiveX controls not marked as safe	Enabled
Initialize and script ActiveX controls not marked as safe	Disable
Java permissions	Enabled
Java permissions	High safety
Internet Explorer
Prevent bypassing SmartScreen Filter warnings	Enabled
Prevent bypassing SmartScreen Filter warnings about files that are not commonly downloaded from the Internet	Disabled
Prevent managing SmartScreen Filter	Enabled
Select SmartScreen Filter mode	On
Prevent per-user installation of ActiveX controls	Enabled
Security Zones: Do not allow users to add/delete sites	Enabled
Security Zones: Do not allow users to change policies	Enabled
Security Zones: Use only machine settings	Enabled
Specify use of ActiveX Installer Service for installation of ActiveX controls	Enabled
Turn off Crash Detection	Enabled
Turn off the Security Settings Check feature	Disabled
Turn on the auto-complete feature for user names and passwords on forms (User)	Disabled
Add-on Management
Remove "Run this time" button for outdated ActiveX controls in Internet Explorer	Enabled
Turn off blocking of outdated ActiveX controls for Internet Explorer	Disabled
Security Features
Allow fallback to SSL 3.0 (Internet Explorer)	Enabled
Allow insecure fallback for:	No Sites
Consistent Mime Handling
Internet Explorer Processes	Enabled
Mime Sniffing Safety Feature
Internet Explorer Processes	Enabled
MK Protocol Security Restriction
Internet Explorer Processes	Enabled
Notification bar
Internet Explorer Processes	Enabled
Protection From Zone Elevation
Internet Explorer Processes	Enabled
Restrict ActiveX Install
Internet Explorer Processes	Enabled
Restrict File Download
Internet Explorer Processes	Enabled
Scripted Window Security Restrictions
Internet Explorer Processes	Enabled

Table 76. Settings - Win - OIB - SC - Internet Explorer (Legacy) - D - Security - v3.1.1

Win - OIB - SC - Microsoft Accounts - D - Configuration - v3.2

Name	Value
Basics
Name	Win - OIB - SC - Microsoft Accounts - D - Configuration - v3.2
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	16 July 2024 12:16:46
Last modified	05 December 2024 20:10:28
Scope tags	Default

Table 77. Basics - Win - OIB - SC - Microsoft Accounts - D - Configuration - v3.2

Name	Value
Accounts
Allow Adding Non Microsoft Accounts Manually	Block
Allow Microsoft Account Connection	Block
Administrative Templates
App runtime
Allow Microsoft accounts to be optional	Enabled
Microsoft account
Block all consumer Microsoft account user authentication	Enabled
Local Policies Security Options
Accounts Block Microsoft Accounts	Users can't add or log on with Microsoft accounts

Table 78. Settings - Win - OIB - SC - Microsoft Accounts - D - Configuration - v3.2

Win - OIB - SC - Microsoft Edge - D - Security - v3.6

Name	Value
Basics
Name	Win - OIB - SC - Microsoft Edge - D - Security - v3.6
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	22 November 2024 11:38:21
Last modified	08 May 2025 17:22:21
Scope tags	Default

Table 79. Basics - Win - OIB - SC - Microsoft Edge - D - Security - v3.6

Name	Value
Microsoft Edge
Ads setting for sites with intrusive ads	Enabled
Ads setting for sites with intrusive ads (Device)	Block ads on sites with intrusive ads. (Default value)
Allow download restrictions	Enabled
Download restrictions (Device)	Block malicious downloads
Allow importing of browser settings	Disabled
Allow importing of browsing history	Disabled
Allow importing of home page settings	Disabled
Allow importing of payment info	Disabled
Allow importing of saved passwords	Disabled
Allow importing of search engine settings	Disabled
Allow managed extensions to use the Enterprise Hardware Platform API	Disabled
Allow personalization of ads, search and news by sending browsing history to Microsoft	Disabled
Allow queries to a Browser Network Time service	Enabled
Allow the Search bar at Windows startup (obsolete)	Disabled
Allow unconfigured sites to be reloaded in Internet Explorer mode	Disabled
Allow users to proceed from the HTTPS warning page	Disabled
Allow websites to query for available payment methods	Disabled
Automatically open downloaded MHT or MHTML files from the web in Internet Explorer mode	Disabled
Block tracking of users' web-browsing activity	Enabled
Block tracking of users' web-browsing activity (Device)	Balanced (blocks harmful trackers and trackers from sites user has not visited; content and ads will be less personalized)
Clear browsing data when Microsoft Edge closes	Disabled
Clear cached images and files when Microsoft Edge closes	Disabled
Configure the Share experience	Disabled
Control communication with the Experimentation and Configuration Service	Enabled
Control communication with the Experimentation and Configuration Service (Device)	Disable communication with the Experimentation and Configuration Service
DNS interception checks enabled	Enabled
Dynamic Code Settings	Enabled
Dynamic Code Settings (Device)	Default dynamic code settings
Enable Application Bound Encryption	Enabled
Enable AutoFill for addresses	Disabled
Enable AutoFill for payment instruments	Disabled
Enable browser legacy extension point blocking	Enabled
Enable renderer code integrity (deprecated)	Enabled
Enable site isolation for every site	Enabled
Enhance the security state in Microsoft Edge	Enabled
Enhance the security state in Microsoft Edge (Device)	Balanced mode
Hide the First-run experience and splash screen	Enabled
Microsoft Edge Insider Promotion Enabled	Disabled
Minimum TLS version enabled	Enabled
Minimum SSL version enabled (Device)	TLS 1.2
Show the Reload in Internet Explorer mode button in the toolbar	Disabled
Cast
Enable Google Cast	Disabled
Experimentation
Configure users ability to override feature flags	Disabled
HTTP authentication
Supported authentication schemes	Enabled
Supported authentication schemes (Device)	ntlm,negotiate
Windows Hello For HTTP Auth Enabled	Enabled
Native Messaging
Allow user-level native messaging hosts (installed without admin permissions)	Disabled
Private Network Request Settings
Specifies whether to allow insecure websites to make requests to more-private network endpoints	Disabled
Scareware Blocker settings
Configure Edge Scareware Blocker Protection	Enabled
SmartScreen settings
Configure Microsoft Defender SmartScreen	Enabled
Configure Microsoft Defender SmartScreen to block potentially unwanted apps	Enabled
Force Microsoft Defender SmartScreen checks on downloads from trusted sources	Enabled
Prevent bypassing Microsoft Defender SmartScreen prompts for sites	Enabled
Prevent bypassing of Microsoft Defender SmartScreen warnings about downloads	Enabled
Typosquatting Checker settings
Configure Edge Website Typo Protection	Enabled

Table 80. Settings - Win - OIB - SC - Microsoft Edge - D - Security - v3.6

Win - OIB - SC - Microsoft Edge - D - Updates - v3.6

Name	Value
Basics
Name	Win - OIB - SC - Microsoft Edge - D - Updates - v3.6
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	09 August 2023 16:01:38
Last modified	03 April 2025 10:21:44
Scope tags	Default

Table 81. Basics - Win - OIB - SC - Microsoft Edge - D - Updates - v3.6

Name	Value
Microsoft Edge
Enable component updates in Microsoft Edge	Enabled
Notify a user that a browser restart is recommended or required for pending updates	Enabled
Notify a user that a browser restart is recommended or required for pending updates (Device)	Required - Show a recurring prompt to the user indicating that a restart is required
Set the time period for update notifications	Enabled
Set the time period for update notifications: (Device)	259200000
Microsoft Edge Update
Microsoft Edge
Allow installation	Enabled
Install Policy (Device)	Force Installs (Machine-Wide)
Allow installation	Enabled
Prevent Desktop Shortcut creation upon install	Enabled
Target Channel override	Enabled
Target Channel (Device)	Stable
Update policy override	Enabled
Policy (Device)	Always allow updates (recommended)
Control updater's communication with the Experimentation and Configuration Service	Enabled
Control updater's communication with Experimentation and Configuration Service (Device)	Disable communication with the Experimentation and Configuration Service
Microsoft Edge Web View2 Runtime
Allow installation	Enabled
Update policy override	Enabled
Update Policy (Device)	Always allow updates (recommended)
Microsoft Edge WebView
Allow installation	Enabled
Install Policy (Device)	Force Installs (Machine-Wide)
Preferences
Auto-update check period override	Enabled
Minutes between update checks (Device)	240

Table 82. Settings - Win - OIB - SC - Microsoft Edge - D - Updates - v3.6

Win - OIB - SC - Microsoft Edge - U - Extensions - v3.1

Name	Value
Basics
Name	Win - OIB - SC - Microsoft Edge - U - Extensions - v3.1
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	26 October 2023 18:43:34
Last modified	05 December 2024 20:11:14
Scope tags	Default

Table 83. Basics - Win - OIB - SC - Microsoft Edge - U - Extensions - v3.1

Name	Value
Microsoft Edge
Extensions
Allow specific extensions to be installed (User)	Disabled
Blocks external extensions from being installed (User)	Enabled
Control which extensions are installed silently (User)	Enabled
Extension/App IDs and update URLs to be silently installed (User)	nkbndigcebkoaejohleckhekfmcecfja;ofefcgjbeghpigppfmkologfjadafddi
Control which extensions cannot be installed (User)	Enabled
Extension IDs the user should be prevented from installing (or `* for all) (User)	`*

Table 84. Settings - Win - OIB - SC - Microsoft Edge - U - Extensions - v3.1

Win - OIB - SC - Microsoft Edge - U - Password Management - v3.0

Name	Value
Basics
Name	Win - OIB - SC - Microsoft Edge - U - Password Management - v3.0
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	09 August 2023 16:01:37
Last modified	05 December 2024 20:11:30
Scope tags	Default

Table 85. Basics - Win - OIB - SC - Microsoft Edge - U - Password Management - v3.0

Name	Value
Microsoft Edge
Password manager and protection
Allow users to be alerted if their passwords are found to be unsafe (User)	Enabled
Allow users to get a strong password suggestion whenever they are creating an account online (User)	Enabled
Configures a setting that asks users to enter their device password while using password autofill (User)	Enabled
Configures a setting that asks users to enter their device password while using password autofill (User)	With device password
Enable saving passwords to the password manager (User)	Enabled

Table 86. Settings - Win - OIB - SC - Microsoft Edge - U - Password Management - v3.0

Win - OIB - SC - Microsoft Edge - U - Profiles, Sign-In and Sync - v3.0

Name	Value
Basics
Name	Win - OIB - SC - Microsoft Edge - U - Profiles, Sign-In and Sync - v3.0
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	09 August 2023 16:01:39
Last modified	05 December 2024 20:11:45
Scope tags	Default

Name	Value
Microsoft Edge
Automatically import another browser's data and settings at first run (User)	Disabled
Browser sign-in settings (User)	Enabled
Browser sign-in settings (User)	Force users to sign-in to use the browser
Configure whether a user always has a default profile automatically signed in with their work or school account (User)	Enabled
Enable profile creation from the Identity flyout menu or the Settings page (User)	Disabled
Enable use of ephemeral profiles (User)	Disabled
Force synchronization of browser data and do not show the sync consent prompt (User)	Enabled
Single sign-on for work or school sites using this profile enabled (User)	Enabled
Identity and sign-in
Enable implicit sign-in (User)	Enabled

Win - OIB - SC - Microsoft Edge - U - User Experience - v3.6

Name	Value
Basics
Name	Win - OIB - SC - Microsoft Edge - U - User Experience - v3.6
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	22 November 2024 10:44:18
Last modified	08 May 2025 16:47:57
Scope tags	Default

Table 89. Basics - Win - OIB - SC - Microsoft Edge - U - User Experience - v3.6

Name	Value
Microsoft Edge
Allow users to access the games menu (User)	Disabled
Enable CryptoWallet feature (obsolete) (User)	Disabled
Microsoft Edge built-in PDF reader powered by Adobe Acrobat enabled (User)	Enabled
Shopping in Microsoft Edge Enabled (User)	Disabled
Show Microsoft Rewards experiences (User)	Disabled
Shows button on native PDF viewer in Microsoft Edge that allows users to sign up for Adobe Acrobat subscription (User)	Disabled
Edge Workspaces settings
Enable Workspaces (User)	Enabled
Games settings
Enable Gamer Mode (User)	Disabled
Microsoft Edge - Default Settings (users can override)
Performance
Enable startup boost (User)	Disabled
Sleeping Tabs settings
Configure Sleeping Tabs (User)	Enabled
Startup, home page and new tab page
Action to take on Microsoft Edge startup (User)	Enabled
Action to take on startup (User)	Restore the last session
Configure the Microsoft Edge new tab page experience (User)	Enabled
New tab page experience (User)	Office 365 feed experience
Set new tab page quick links (User)	Disabled
Show Home button on toolbar (User)	Enabled

Table 90. Settings - Win - OIB - SC - Microsoft Edge - U - User Experience - v3.6

Win - OIB - SC - Microsoft Office - D - Security - v3.6

Name	Value
Basics
Name	Win - OIB - SC - Microsoft Office - D - Security - v3.6
Description	NOTE: These policies are only applicable to Microsoft 365 Apps for Enterprise (included with M365 E`/A`/F`*), not Microsoft 365 Apps for Business (included with M365 Business Premium).
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	31 January 2025 10:42:30
Last modified	13 May 2025 11:17:59
Scope tags	Default

Table 91. Basics - Win - OIB - SC - Microsoft Office - D - Security - v3.6

Name	Value
Administrative Templates
MS Security Guide
Block Flash activation in Office documents	Enabled
Block Flash player in Office (Device)	Block embedding/linking, allow other activation
Restrict legacy JScript execution for Office	Enabled
Access: (Device)	69632
Excel: (Device)	69632
OneNote: (Device)	69632
Outlook: (Device)	69632
PowerPoint: (Device)	69632
Project: (Device)	69632
Publisher: (Device)	69632
Visio: (Device)	69632
Word: (Device)	69632
Microsoft Lync Feature Policies
Configure SIP security mode	Enabled
Disable HTTP fallback for SIP connection	Enabled
Microsoft Office 2016 (Machine)
IE Security
Add-on Management	Enabled
excel.exe (Device)	True
exprwd.exe (Device)	True
groove.exe (Device)	True
msaccess.exe (Device)	True
mse7.exe (Device)	True
mspub.exe (Device)	True
onent.exe (Device)	True
outlook.exe (Device)	True
powerpnt.exe (Device)	True
pptview.exe (Device)	True
spDesign.exe (Device)	True
visio.exe (Device)	True
winproj.exe (Device)	True
winword.exe (Device)	True
Consistent Mime Handling	Enabled
excel.exe (Device)	True
exprwd.exe (Device)	True
groove.exe (Device)	True
msaccess.exe (Device)	True
mse7.exe (Device)	True
mspub.exe (Device)	True
onent.exe (Device)	True
outlook.exe (Device)	True
powerpnt.exe (Device)	True
pptview.exe (Device)	True
spDesign.exe (Device)	True
visio.exe (Device)	True
winproj.exe (Device)	True
winword.exe (Device)	True
Disable user name and password	Enabled
excel.exe (Device)	True
exprwd.exe (Device)	True
groove.exe (Device)	True
msaccess.exe (Device)	True
mse7.exe (Device)	True
mspub.exe (Device)	True
onent.exe (Device)	True
outlook.exe (Device)	True
powerpnt.exe (Device)	True
pptview.exe (Device)	True
spDesign.exe (Device)	True
visio.exe (Device)	True
winproj.exe (Device)	True
winword.exe (Device)	True
Information Bar	Enabled
excel.exe (Device)	True
exprwd.exe (Device)	True
groove.exe (Device)	True
msaccess.exe (Device)	True
mse7.exe (Device)	True
mspub.exe (Device)	True
onent.exe (Device)	True
outlook.exe (Device)	True
powerpnt.exe (Device)	True
pptview.exe (Device)	True
spDesign.exe (Device)	True
visio.exe (Device)	True
winproj.exe (Device)	True
winword.exe (Device)	True
Local Machine Zone Lockdown Security	Enabled
excel.exe (Device)	True
exprwd.exe (Device)	True
groove.exe (Device)	True
msaccess.exe (Device)	True
mse7.exe (Device)	True
mspub.exe (Device)	True
onent.exe (Device)	True
outlook.exe (Device)	True
powerpnt.exe (Device)	True
pptview.exe (Device)	True
spDesign.exe (Device)	True
visio.exe (Device)	True
winproj.exe (Device)	True
winword.exe (Device)	True
Mime Sniffing Safety Feature	Enabled
excel.exe (Device)	True
exprwd.exe (Device)	True
groove.exe (Device)	True
msaccess.exe (Device)	True
mse7.exe (Device)	True
mspub.exe (Device)	True
onent.exe (Device)	True
outlook.exe (Device)	True
powerpnt.exe (Device)	True
pptview.exe (Device)	True
spDesign.exe (Device)	True
visio.exe (Device)	True
winproj.exe (Device)	True
winword.exe (Device)	True
Navigate URL	Enabled
excel.exe (Device)	True
exprwd.exe (Device)	True
groove.exe (Device)	True
msaccess.exe (Device)	True
mse7.exe (Device)	True
mspub.exe (Device)	True
onent.exe (Device)	True
outlook.exe (Device)	True
powerpnt.exe (Device)	True
pptview.exe (Device)	True
spDesign.exe (Device)	True
visio.exe (Device)	True
winproj.exe (Device)	True
winword.exe (Device)	True
Object Caching Protection	Enabled
excel.exe (Device)	True
exprwd.exe (Device)	True
groove.exe (Device)	True
msaccess.exe (Device)	True
mse7.exe (Device)	True
mspub.exe (Device)	True
onent.exe (Device)	True
outlook.exe (Device)	True
powerpnt.exe (Device)	True
pptview.exe (Device)	True
spDesign.exe (Device)	True
visio.exe (Device)	True
winproj.exe (Device)	True
winword.exe (Device)	True
Protection From Zone Elevation	Enabled
excel.exe (Device)	True
exprwd.exe (Device)	True
groove.exe (Device)	True
msaccess.exe (Device)	True
mse7.exe (Device)	True
mspub.exe (Device)	True
onent.exe (Device)	True
outlook.exe (Device)	True
powerpnt.exe (Device)	True
pptview.exe (Device)	True
spDesign.exe (Device)	True
visio.exe (Device)	True
winproj.exe (Device)	True
winword.exe (Device)	True
Restrict ActiveX Install	Enabled
excel.exe (Device)	True
exprwd.exe (Device)	True
groove.exe (Device)	True
msaccess.exe (Device)	True
mse7.exe (Device)	True
mspub.exe (Device)	True
onent.exe (Device)	True
outlook.exe (Device)	True
powerpnt.exe (Device)	True
pptview.exe (Device)	True
spDesign.exe (Device)	True
visio.exe (Device)	True
winproj.exe (Device)	True
winword.exe (Device)	True
Restrict File Download	Enabled
excel.exe (Device)	True
exprwd.exe (Device)	True
groove.exe (Device)	True
msaccess.exe (Device)	True
mse7.exe (Device)	True
mspub.exe (Device)	True
onent.exe (Device)	True
outlook.exe (Device)	True
powerpnt.exe (Device)	True
pptview.exe (Device)	True
spDesign.exe (Device)	True
visio.exe (Device)	True
winproj.exe (Device)	True
winword.exe (Device)	True
Saved from URL	Enabled
excel.exe (Device)	True
exprwd.exe (Device)	True
groove.exe (Device)	True
msaccess.exe (Device)	True
mse7.exe (Device)	True
mspub.exe (Device)	True
onent.exe (Device)	True
outlook.exe (Device)	True
powerpnt.exe (Device)	True
pptview.exe (Device)	True
spDesign.exe (Device)	True
visio.exe (Device)	True
winproj.exe (Device)	True
winword.exe (Device)	True
Scripted Window Security Restrictions	Enabled
excel.exe (Device)	True
exprwd.exe (Device)	True
groove.exe (Device)	True
msaccess.exe (Device)	True
mse7.exe (Device)	True
mspub.exe (Device)	True
onent.exe (Device)	True
outlook.exe (Device)	True
powerpnt.exe (Device)	True
pptview.exe (Device)	True
spDesign.exe (Device)	True
visio.exe (Device)	True
winproj.exe (Device)	True
winword.exe (Device)	True

Table 92. Settings - Win - OIB - SC - Microsoft Office - D - Security - v3.6

Win - OIB - SC - Microsoft Office - D - Updates - v3.0

Name	Value
Basics
Name	Win - OIB - SC - Microsoft Office - D - Updates - v3.0
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	09 August 2023 16:01:40
Last modified	05 December 2024 20:12:05
Scope tags	Default

Table 93. Basics - Win - OIB - SC - Microsoft Office - D - Updates - v3.0

Name	Value
Microsoft Office 2016 (Machine)
Updates
Don’t install extension for Microsoft Search in Bing that makes Bing the default search engine	Enabled
Enable Automatic Updates	Enabled
Hide option to enable or disable updates	Enabled
Online Repair	Enabled
Location of Office Deployment Tool: (Device)	Not configured
Use Office CDN (if needed) (Device)	True

Table 94. Settings - Win - OIB - SC - Microsoft Office - D - Updates - v3.0

Win - OIB - SC - Microsoft Office - U - Config and Experience - v3.6

Name	Value
Basics
Name	Win - OIB - SC - Microsoft Office - U - Config and Experience - v3.6
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	30 January 2025 12:18:11
Last modified	24 April 2025 10:28:39
Scope tags	Default

Table 95. Basics - Win - OIB - SC - Microsoft Office - U - Config and Experience - v3.6

Name	Value
Microsoft Excel 2016
Save
Default file format (User)	Enabled
Save Excel files as (User)	Excel Workbook (`*.xlsx)
Suppress file format compatibility dialog box for OpenDocument Spreadsheet format (User)	Enabled
Microsoft Office 2016
First Run
Disable First Run Movie (User)	Enabled
Disable Office First Run on application boot (User)	Enabled
Display Language
Allow users who aren’t admins to install language accessory packs (User)	Enabled
Language Preferences
Notify users if they do not have proofing tools for a language they use (User)	Enabled
Miscellaneous
File links open preference default selection as Desktop App (User)	Enabled
Hide Microsoft cloud-based file locations in the Backstage view (User)	Enabled
Online Storage Filter Value: (User)	137
Suppress recommended settings dialog (User)	Enabled
Trust Center
Allow users to receive and respond to in-product surveys from Microsoft (User)	Disabled
Disable Opt-in Wizard on first run (User)	Enabled
Enable Customer Experience Improvement Program (User)	Disabled
Microsoft Outlook 2016
Exchange
Automatically configure profile based on Active Directory Primary SMTP address (User)	Enabled
Prefer the provided account email in AutoDiscover auth prompts. (User)	Enabled
Prevent adding non-default Exchange accounts (User)	Enabled
Cached Exchange Mode
Download shared non-mail folders (User)	Disabled
Use Cached Exchange Mode for new and existing Outlook profiles (User)	Enabled
Use the Online Global Address List for Nickname Resolution (User)	Enabled
RSS Feeds
Turn off RSS feature (User)	Enabled
Other
Disable Outlook Mobile Hyperlink (User)	Enabled
Make Outlook the default program for E-mail, Contacts, and Calendar (User)	Enabled
Microsoft PowerPoint 2016
Save
Default file format (User)	Enabled
Save PowerPoint files as (User)	PowerPoint Presentation (`*.pptx)
Suppress file format compatibility dialog box for OpenDocument Presentation format (User)	Enabled
Microsoft Word 2016
Save
Default file format (User)	Enabled
Save Word files as (User)	Word Document (`*.docx)
Do not display file format compatibility dialog box for OpenDocument text format (User)	Enabled

Table 96. Settings - Win - OIB - SC - Microsoft Office - U - Config and Experience - v3.6

Win - OIB - SC - Microsoft Office - U - Security - v3.6

Name	Value
Basics
Name	Win - OIB - SC - Microsoft Office - U - Security - v3.6
Description	NOTE: These policies are only applicable to Microsoft 365 Apps for Enterprise (included with M365 E`/A`/F`*), not Microsoft 365 Apps for Business (included with M365 Business Premium).
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	31 January 2025 10:49:57
Last modified	13 May 2025 11:18:10
Scope tags	Default

Table 97. Basics - Win - OIB - SC - Microsoft Office - U - Security - v3.6

Name	Value
Microsoft Access 2016
Trust Center
Block macros from running in Office files from the Internet (User)	Enabled
Disable Trust Bar Notification for unsigned application add-ins and block them (User)	Enabled
Require that application add-ins are signed by Trusted Publisher (User)	Enabled
VBA Macro Notification Settings (User)	Enabled
	Disable all except digitally signed macros
Trusted Locations
Allow Trusted Locations on the network (User)	Disabled
Microsoft Excel 2016
Data Recovery
Do not show data extraction options when opening corrupt workbooks (User)	Enabled
Advanced
Ask to update automatic links (User)	Enabled
General
Load pictures from Web pages not created in Excel (User)	Disabled
Save
Disable AutoRepublish (User)	Enabled
Do not show AutoRepublish warning alert (User)	Disabled
Security
Force file extension to match file type (User)	Enabled
	Always match file type
Scan encrypted macros in Excel Open XML workbooks (User)	Enabled
	Scan encrypted macros (default)
Turn off file validation (User)	Disabled
WEBSERVICE Function Notification Settings (User)	Enabled
	Disable all with notification
Trust Center
Block Excel XLL Add-ins that come from an untrusted source (User)	Enabled
	Block
Block macros from running in Office files from the Internet (User)	Enabled
Prevent Excel from running XLM macros (User)	Enabled
Require that application add-ins are signed by Trusted Publisher (User)	Enabled
Disable Trust Bar Notification for unsigned application add-ins and block them (User)	Enabled
VBA Macro Notification Settings (User)	Enabled
	Disable all except digitally signed macros
External Content
Always prevent untrusted Microsoft Query files from opening (User)	Enabled
Don’t allow Dynamic Data Exchange (DDE) server launch in Excel (User)	Enabled
Don’t allow Dynamic Data Exchange (DDE) server lookup in Excel (User)	Enabled
File Block Settings
dBase III / IV files (User)	Enabled
File block setting: (User)	Open/Save blocked, use open policy
Dif and Sylk files (User)	Enabled
File block setting: (User)	Open/Save blocked, use open policy
Excel 2 macrosheets and add-in files (User)	Enabled
File block setting: (User)	Open/Save blocked, use open policy
Excel 2 worksheets (User)	Enabled
File block setting: (User)	Open/Save blocked, use open policy
Excel 3 macrosheets and add-in files (User)	Enabled
File block setting: (User)	Open/Save blocked, use open policy
Excel 3 worksheets (User)	Enabled
File block setting: (User)	Open/Save blocked, use open policy
Excel 4 macrosheets and add-in files (User)	Enabled
File block setting: (User)	Open/Save blocked, use open policy
Excel 4 workbooks (User)	Enabled
File block setting: (User)	Open/Save blocked, use open policy
Excel 4 worksheets (User)	Enabled
File block setting: (User)	Open/Save blocked, use open policy
Excel 95 workbooks (User)	Enabled
File block setting: (User)	Open/Save blocked, use open policy
Excel 95-97 workbooks and templates (User)	Enabled
File block setting: (User)	Open/Save blocked, use open policy
Excel 97-2003 workbooks and templates (User)	Enabled
File block setting: (User)	Open/Save blocked, use open policy
Set default file block behavior (User)	Enabled
	Blocked files are not opened
Web pages and Excel 2003 XML spreadsheets (User)	Disabled
Protected View
Always open untrusted database files in Protected View (User)	Enabled
Do not open files from the Internet zone in Protected View (User)	Disabled
Do not open files in unsafe locations in Protected View (User)	Disabled
Set document behavior if file validation fails (User)	Enabled
	Open in Protected View
Checked: Allow edit. Unchecked: Do not allow edit. (User)	False
Turn off Protected View for attachments opened from Outlook (User)	Disabled
Trusted Locations
Allow Trusted Locations on the network (User)	Disabled
Microsoft Office 2016
Customize
Disable UI extending from documents and templates (User)	Enabled
Disallow in Access (User)	True
Disallow in Excel (User)	True
Disallow in InfoPath (User)	True
Disallow in Outlook (User)	True
Disallow in PowerPoint (User)	True
Disallow in Project (User)	False
Disallow in Publisher (User)	True
Disallow in Visio (User)	False
Disallow in Word (User)	True
Security Settings
ActiveX Control Initialization (User)	Enabled
ActiveX Control Initialization: (User)	6
Allow Basic Authentication prompts from network proxies (User)	Disabled
Allow VBA to load typelib references by path from untrusted intranet locations (User)	Disabled
Automation Security (User)	Enabled
Set the Automation Security level (User)	Use application macro security level
Control how Office handles form-based sign-in prompts (User)	Enabled
Behavior: (User)	Block all prompts
Specify hosts allowed to show form-based sign-in prompts to users: (User)	Not configured
Disable additional security checks on VBA library references that may refer to unsafe locations on the local machine (User)	Disabled
Disable all Trust Bar notifications for security issues (User)	Disabled
Encryption mode for Information Rights Management (IRM) (User)	Enabled
IRM Encryption Mode: (User)	Cipher Block Chaining (CBC)
Encryption type for password protected Office 97-2003 files (User)	Enabled
Encryption type: (User)	Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256
Encryption type for password protected Office Open XML files (User)	Enabled
Encryption type: (User)	Microsoft Enhanced RSA and AES Cryptographic Provider,AES 256,256
Load Controls in Forms3 (User)	Enabled
Load Controls in Forms3: (User)	1
Macro Runtime Scan Scope (User)	Enabled
	Enable for all documents
Protect document metadata for rights managed Office Open XML Files (User)	Enabled
Trust Center
Allow mix of policy and user locations (User)	Disabled
Server Settings
Disable the Office client from polling the SharePoint Server for published links (User)	Enabled
Smart Documents (Word, Excel)
Disable Smart Document's use of manifests (User)	Enabled
Microsoft Outlook 2016
Security Form Settings
Outlook Security Mode (User)	Enabled
Allow Active X One Off Forms (User)	Enabled
Sets which ActiveX controls to allow.	Load only Outlook Controls
Allow hyperlinks in suspected phishing e-mail messages (User)	Disabled
Allow scripts in one-off Outlook forms (User)	Disabled
Allow users to demote attachments to Level 2 (User)	Disabled
Authentication with Exchange Server (User)	Enabled
Select the authentication with Exchange server. (User)	Kerberos Password Authentication
Configure Outlook object model prompt when accessing an address book (User)	Enabled
Guard behavior: (User)	Automatically Deny
Configure Outlook object model prompt When accessing the Formula property of a UserProperty object (User)	Enabled
Guard behavior: (User)	Automatically Deny
Configure Outlook object model prompt when executing Save As (User)	Enabled
Guard behavior: (User)	Automatically Deny
Configure Outlook object model prompt when reading address information (User)	Enabled
Guard behavior: (User)	Automatically Deny
Configure Outlook object model prompt when responding to meeting and task requests (User)	Enabled
Guard behavior: (User)	Automatically Deny
Configure Outlook object model prompt when sending mail (User)	Enabled
Guard behavior: (User)	Automatically Deny
Display Level 1 attachments (User)	Disabled
Do not allow Outlook object model scripts to run for public folders (User)	Enabled
Do not allow Outlook object model scripts to run for shared folders (User)	Enabled
Enable RPC encryption (User)	Enabled
Include Internet in Safe Zones for Automatic Picture Download (User)	Disabled
Minimum encryption settings (User)	Enabled
Minimum key size (in bits): (User)	168
Outlook Security Policy: (User)	Use Outlook Security Group Policy
Prevent users from customizing attachment security settings (User)	Enabled
Remove file extensions blocked as Level 1 (User)	Enabled
Removed Extensions: (User)	Not configured
Remove file extensions blocked as Level 2 (User)	Enabled
Removed Extensions: (User)	Not configured
Retrieving CRLs (Certificate Revocation Lists) (User)	Enabled
	When online always retreive the CRL
Security setting for macros (User)	Enabled
Security Level (User)	Warn for signed, disable unsigned
Set Outlook object model custom actions execution prompt (User)	Enabled
When executing a custom action: (User)	Automatically Deny
Signature Warning (User)	Enabled
Signature Warning (User)	Always warn about invalid signatures
Use Unicode format when dragging e-mail message to file system (User)	Disabled
Microsoft PowerPoint 2016
Security
Run Programs (User)	Enabled
	disable (don't run any programs)
Scan encrypted macros in PowerPoint Open XML presentations (User)	Enabled
	Scan encrypted macros (default)
Turn off file validation (User)	Disabled
Trust Center
Block macros from running in Office files from the Internet (User)	Enabled
Require that application add-ins are signed by Trusted Publisher (User)	Enabled
Disable Trust Bar Notification for unsigned application add-ins and block them (User)	Enabled
VBA Macro Notification Settings (User)	Enabled
	Disable all except digitally signed macros
File Block Settings
PowerPoint 97-2003 presentations, shows, templates and add-in files (User)	Enabled
File block setting: (User)	Open/Save blocked, use open policy
Set default file block behavior (User)	Enabled
	Blocked files are not opened
Protected View
Do not open files from the Internet zone in Protected View (User)	Disabled
Do not open files in unsafe locations in Protected View (User)	Disabled
Set document behavior if file validation fails (User)	Enabled
	Open in Protected View
Checked: Allow edit. Unchecked: Do not allow edit. (User)	False
Turn off Protected View for attachments opened from Outlook (User)	Disabled
Trusted Locations
Allow Trusted Locations on the network (User)	Disabled
Microsoft Project 2016
Trust Center
Allow Trusted Locations on the network (User)	Disabled
Block macros from running in Office files from the internet (User)	Enabled
Require that application add-ins are signed by Trusted Publisher (User)	Enabled
Disable Trust Bar Notification for unsigned application add-ins and block them (User)	Enabled
VBA Macro Notification Settings (User)	Enabled
	Disable all except digitally signed macros
Microsoft Publisher 2016
Security
Publisher Automation Security Level (User)	Enabled
	By UI (prompted)
Trust Center
Block macros from running in Office files from the internet (User)	Enabled
Require that application add-ins are signed by Trusted Publisher (User)	Enabled
Disable Trust Bar Notification for unsigned application add-ins (User)	Enabled
VBA Macro Notification Settings (User)	Enabled
	Disable all except digitally signed macros
Microsoft Visio 2016
Trust Center
Allow Trusted Locations on the network (User)	Disabled
Block macros from running in Office files from the Internet (User)	Enabled
Require that application add-ins are signed by Trusted Publisher (User)	Enabled
Disable Trust Bar Notification for unsigned application add-ins and block them (User)	Enabled
VBA Macro Notification Settings (User)	Enabled
	Disable all except digitally signed macros
File Block Settings
Visio 2000-2002 Binary Drawings, Templates and Stencils (User)	Enabled
File block setting: (User)	Open/Save blocked
Visio 2003-2010 Binary Drawings, Templates and Stencils (User)	Enabled
File block setting: (User)	Open/Save blocked
Visio 5.0 or earlier Binary Drawings, Templates and Stencils (User)	Enabled
File block setting: (User)	Open/Save blocked
Microsoft Word 2016
Trust Center
Block macros from running in Office files from the Internet (User)	Enabled
Dynamic Data Exchange (User)	Disabled
Require that application add-ins are signed by Trusted Publisher (User)	Enabled
Disable Trust Bar Notification for unsigned application add-ins and block them (User)	Enabled
Scan encrypted macros in Word Open XML documents (User)	Enabled
	Scan encrypted macros (default)
VBA Macro Notification Settings (User)	Enabled
	Disable all except digitally signed macros
File Block Settings
Set default file block behavior (User)	Enabled
	Blocked files are not opened
Word 2 and earlier binary documents and templates (User)	Enabled
File block setting: (User)	Open/Save blocked, use open policy
Word 2000 binary documents and templates (User)	Enabled
File block setting: (User)	Open/Save blocked, use open policy
Word 2003 binary documents and templates (User)	Enabled
File block setting: (User)	Open/Save blocked, use open policy
Word 2007 and later binary documents and templates (User)	Enabled
File block setting: (User)	Open/Save blocked, use open policy
Word 6.0 binary documents and templates (User)	Enabled
File block setting: (User)	Open/Save blocked, use open policy
Word 95 binary documents and templates (User)	Enabled
File block setting: (User)	Open/Save blocked, use open policy
Word 97 binary documents and templates (User)	Enabled
File block setting: (User)	Open/Save blocked, use open policy
Word XP binary documents and templates (User)	Enabled
File block setting: (User)	Open/Save blocked, use open policy
Protected View
Do not open files from the Internet zone in Protected View (User)	Disabled
Do not open files in unsafe locations in Protected View (User)	Disabled
Set document behavior if file validation fails (User)	Enabled
	Open in Protected View
Checked: Allow edit. Unchecked: Do not allow edit. (User)	False
Turn off Protected View for attachments opened from Outlook (User)	Disabled
Trusted Locations
Allow Trusted Locations on the network (User)	Disabled
Security
Turn off file validation (User)	Disabled

Table 98. Settings - Win - OIB - SC - Microsoft Office - U - Security - v3.6

Win - OIB - SC - Microsoft OneDrive - D - Configuration - v3.2

Name	Value
Basics
Name	Win - OIB - SC - Microsoft OneDrive - D - Configuration - v3.2
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	01 August 2024 14:53:56
Last modified	05 December 2024 20:12:33
Scope tags	Default

Table 99. Basics - Win - OIB - SC - Microsoft OneDrive - D - Configuration - v3.2

Name	Value
OneDrive
Allow syncing OneDrive accounts for only specific organizations	Enabled
Tenant ID: (Device)	2d026a31-8c0a-4b36-8b34-07f42b6e2a87
Allow users to contact Microsoft for feedback and support	Disabled
Enable automatic upload bandwidth management for OneDrive	Enabled
Enable sync health reporting for OneDrive	Enabled
Exclude specific kinds of files from being uploaded	Enabled
Keywords: (Device)	`.accdb;`.appx;`.bat;`.cmd;`.exe;`.img;`.iso;`.jar;`.lnk;`.mdb;`.msi;`.pst;`.reg;`.vbs;`.vhd;`.vhdx;`*.vmdk
Prevent users from redirecting their Windows known folders to their PC	Enabled
Set the sync app update ring	Enabled
Update ring: (Device)	Production
Silently move Windows known folders to OneDrive	Enabled
Desktop (Device)	True
Documents (Device)	True
Pictures (Device)	True
Show notification to users after folders have been redirected: (Device)	Yes
Tenant ID: (Device)	2d026a31-8c0a-4b36-8b34-07f42b6e2a87
Silently sign in users to the OneDrive sync app with their Windows credentials	Enabled
Use OneDrive Files On-Demand	Enabled

Table 100. Settings - Win - OIB - SC - Microsoft OneDrive - D - Configuration - v3.2

Win - OIB - SC - Microsoft OneDrive - U - Configuration - v3.0

Name	Value
Basics
Name	Win - OIB - SC - Microsoft OneDrive - U - Configuration - v3.0
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	09 August 2023 16:01:42
Last modified	05 December 2024 20:12:44
Scope tags	Default

Table 101. Basics - Win - OIB - SC - Microsoft OneDrive - U - Configuration - v3.0

Name	Value
OneDrive
Allow users to choose how to handle Office file sync conflicts (User)	Enabled
Disable the tutorial that appears at the end of OneDrive Setup (User)	Enabled
Prevent users from changing the location of their OneDrive folder (User)	Enabled
Change location setting: (User)	Not configured
Name	2d026a31-8c0a-4b36-8b34-07f42b6e2a87
Value	1
Prevent users from syncing personal OneDrive accounts (User)	Enabled

Table 102. Settings - Win - OIB - SC - Microsoft OneDrive - U - Configuration - v3.0

Win - OIB - SC - Microsoft Store - D - Configuration - v3.4

Name	Value
Basics
Name	Win - OIB - SC - Microsoft Store - D - Configuration - v3.4
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	10 April 2024 20:36:24
Last modified	28 January 2025 17:20:15
Scope tags	Default

Table 103. Basics - Win - OIB - SC - Microsoft Store - D - Configuration - v3.4

Name	Value
Microsoft App Store
Allow All Trusted Apps	Explicit deny.
Allow apps from the Microsoft app store to auto update	Allowed.
Allow Developer Unlock	Explicit deny.
Allow Game DVR	Block
Block Non Admin User Install	Block
MSI Allow User Control Over Install	Disabled
MSI Always Install With Elevated Privileges	Disabled

Table 104. Settings - Win - OIB - SC - Microsoft Store - D - Configuration - v3.4

Win - OIB - SC - Microsoft Store - U - Configuration - v3.3

Name	Value
Basics
Name	Win - OIB - SC - Microsoft Store - U - Configuration - v3.3
Description	NOTE: The "Turn off the Store application" setting does not work on Windows Pro/Business SKU's: https://learn.microsoft.com/en-gb/windows/client-management/mdm/policy-csp-admx-windowsstore?WT.mc_id=Portal-fx#removewindowsstore_2
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	31 July 2024 12:57:24
Last modified	05 December 2024 20:13:02
Scope tags	Default

Table 105. Basics - Win - OIB - SC - Microsoft Store - U - Configuration - v3.3

Name	Value
Administrative Templates
Start Menu and Taskbar
Do not allow pinning Store app to the Taskbar (User)	Enabled
Store
Turn off the Store application (User)	Enabled
Microsoft App Store
MSI Always Install With Elevated Privileges (User)	Disabled

Table 106. Settings - Win - OIB - SC - Microsoft Store - U - Configuration - v3.3

Win - OIB - SC - Windows Hello for Business - D - Cloud Kerberos Trust - v3.5

Name	Value
Basics
Name	Win - OIB - SC - Windows Hello for Business - D - Cloud Kerberos Trust - v3.5
Description	NOTE: Requires setup of Cloud Kerberos Trust to function. https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/deploy/hybrid-cloud-kerberos-trust
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	09 August 2023 16:01:45
Last modified	17 February 2025 13:00:16
Scope tags	Default

Table 107. Basics - Win - OIB - SC - Windows Hello for Business - D - Cloud Kerberos Trust - v3.5

Name	Value
Kerberos
Cloud Kerberos Ticket Retrieval Enabled	Enabled
Windows Hello For Business
Device-scoped settings	Not configured
Use Cloud Trust For On Prem Auth	Enabled

Table 108. Settings - Win - OIB - SC - Windows Hello for Business - D - Cloud Kerberos Trust - v3.5

Win - OIB - SC - Windows Update for Business - D - Delivery Optimisation - v3.0

Name	Value
Basics
Name	Win - OIB - SC - Windows Update for Business - D - Delivery Optimisation - v3.0
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	09 August 2023 16:01:45
Last modified	05 December 2024 20:13:32
Scope tags	Default

Table 109. Basics - Win - OIB - SC - Windows Update for Business - D - Delivery Optimisation - v3.0

Name	Value
Delivery Optimization
DO Absolute Max Cache Size	0
DO Allow VPN Peer Caching	Not allowed
DO Download Mode	HTTP blended with peering behind the same NAT
DO Group Id Source	Entra ID Tenant ID
DO Max Cache Age	0
DO Max Cache Size	20
DO Min Background Qos	500
DO Min Battery Percentage Allowed To Upload	40
DO Min File Size To Cache	10
DO Min RAM Allowed To Peer	2
DO Monthly Upload Data Cap	0
DO Restrict Peer Selection By	Local discovery (DNS-SD)

Table 110. Settings - Win - OIB - SC - Windows Update for Business - D - Delivery Optimisation - v3.0

Win - OIB - SC - Windows Update for Business - D - Reports and Telemetry - v3.0

Name	Value
Basics
Name	Win - OIB - SC - Windows Update for Business - D - Reports and Telemetry - v3.0
Description	NOTE: Contains policies required for Windows Update for Business Reports. Further configuration required: https://learn.microsoft.com/en-us/windows/deployment/update/wufb-reports-enable
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	09 August 2023 16:01:46
Last modified	05 December 2024 20:15:27
Scope tags	Default

Table 111. Basics - Win - OIB - SC - Windows Update for Business - D - Reports and Telemetry - v3.0

Name	Value
System
Allow device name to be sent in Windows diagnostic data	Allowed.
Allow Telemetry	Full
Configure Telemetry Opt In Change Notification	Disable telemetry change notifications.
Configure Telemetry Opt In Settings Ux	Disable Telemetry opt-in Settings.
Windows Update For Business
Allow Temporary Enterprise Feature Control	Allowed

Table 112. Settings - Win - OIB - SC - Windows Update for Business - D - Reports and Telemetry - v3.0

Win - OIB - SC - Windows Update for Business - D - Restart Warnings - v3.1

Name	Value
Basics
Name	Win - OIB - SC - Windows Update for Business - D - Restart Warnings - v3.1
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	11 April 2024 11:05:02
Last modified	05 December 2024 20:15:44
Scope tags	Default

Table 113. Basics - Win - OIB - SC - Windows Update for Business - D - Restart Warnings - v3.1

Name	Value
Windows Update For Business
Auto Restart Notification Schedule	15 Minutes
Auto Restart Required Notification Dismissal	User Dismissal.
Schedule Imminent Restart Warning	60 Minutes
Schedule Restart Warning	8 Hours

Table 114. Settings - Win - OIB - SC - Windows Update for Business - D - Restart Warnings - v3.1

Win - OIB - SC - Windows User Experience - D - Feature Configuration - v3.1

Name	Value
Basics
Name	Win - OIB - SC - Windows User Experience - D - Feature Configuration - v3.1
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	10 April 2024 20:35:25
Last modified	05 December 2024 20:15:58
Scope tags	Default

Table 115. Basics - Win - OIB - SC - Windows User Experience - D - Feature Configuration - v3.1

Name	Value
Administrative Templates
Filesystem
Enable dev drive	Disabled
Experience
Configure Chat Icon	Disabled
Search
Allow Cloud Search	Allowed.
Allow Indexing Encrypted Stores Or Items	Block
Disable Removable Drive Indexing	Enable.
Widgets
Allow widgets	Not allowed.

Table 116. Settings - Win - OIB - SC - Windows User Experience - D - Feature Configuration - v3.1

Win - OIB - SC - Windows User Experience - U - Copilot - v3.6

Name	Value
Basics
Name	Win - OIB - SC - Windows User Experience - U - Copilot - v3.6
Description
Profile type	Settings catalog
Platform supported	Windows 10 and later
Created	10 April 2024 20:35:10
Last modified	18 April 2025 12:09:03
Scope tags	Default

Table 117. Basics - Win - OIB - SC - Windows User Experience - U - Copilot - v3.6

Name	Value
Windows AI
Turn Off Copilot in Windows (User)	Disable Copilot

334 KiB Raw Permalink Blame History Unescape Escape

Intune documentation

Table of Contents

Device configuration

Settings Catalog

Win - OIB - ES - Attack Surface Reduction - D - ASR Rules (Audit Mode) - v3.1

Table 1. Basics - Win - OIB - ES - Attack Surface Reduction - D - ASR Rules (Audit Mode) - v3.1

Table 2. Settings - Win - OIB - ES - Attack Surface Reduction - D - ASR Rules (Audit Mode) - v3.1

Win - OIB - ES - Attack Surface Reduction - D - ASR Rules (L2) - v3.3

Table 3. Basics - Win - OIB - ES - Attack Surface Reduction - D - ASR Rules (L2) - v3.3

Table 4. Settings - Win - OIB - ES - Attack Surface Reduction - D - ASR Rules (L2) - v3.3

Win - OIB - ES - Defender Antivirus - D - AV Configuration - v3.3

Table 5. Basics - Win - OIB - ES - Defender Antivirus - D - AV Configuration - v3.3

Table 6. Settings - Win - OIB - ES - Defender Antivirus - D - AV Configuration - v3.3

Win - OIB - ES - Defender Antivirus - D - Security Experience - v3.3

Table 7. Basics - Win - OIB - ES - Defender Antivirus - D - Security Experience - v3.3

Table 8. Settings - Win - OIB - ES - Defender Antivirus - D - Security Experience - v3.3

Win - OIB - ES - Defender Antivirus Updates - Ring 1 - Pilot - v3.4

Table 9. Basics - Win - OIB - ES - Defender Antivirus Updates - Ring 1 - Pilot - v3.4

Table 10. Settings - Win - OIB - ES - Defender Antivirus Updates - Ring 1 - Pilot - v3.4

Win - OIB - ES - Defender Antivirus Updates - Ring 2 - UAT - v3.4

Table 11. Basics - Win - OIB - ES - Defender Antivirus Updates - Ring 2 - UAT - v3.4

Table 12. Settings - Win - OIB - ES - Defender Antivirus Updates - Ring 2 - UAT - v3.4

Win - OIB - ES - Defender Antivirus Updates - Ring 3 - Production - v3.4

Table 13. Basics - Win - OIB - ES - Defender Antivirus Updates - Ring 3 - Production - v3.4

Table 14. Settings - Win - OIB - ES - Defender Antivirus Updates - Ring 3 - Production - v3.4

Win - OIB - ES - Encryption - D - BitLocker (OS Disk) - v3.0

Table 15. Basics - Win - OIB - ES - Encryption - D - BitLocker (OS Disk) - v3.0

Table 16. Settings - Win - OIB - ES - Encryption - D - BitLocker (OS Disk) - v3.0

Win - OIB - ES - Encryption - U - Personal Data Encryption - v3.4

Table 17. Basics - Win - OIB - ES - Encryption - U - Personal Data Encryption - v3.4

Table 18. Settings - Win - OIB - ES - Encryption - U - Personal Data Encryption - v3.4

Win - OIB - ES - Windows Firewall - D - Firewall Configuration - v3.1

Table 19. Basics - Win - OIB - ES - Windows Firewall - D - Firewall Configuration - v3.1

Table 20. Settings - Win - OIB - ES - Windows Firewall - D - Firewall Configuration - v3.1

Win - OIB - ES - Windows Hello for Business - D - WHfB Configuration - v3.2

Table 21. Basics - Win - OIB - ES - Windows Hello for Business - D - WHfB Configuration - v3.2

Table 22. Settings - Win - OIB - ES - Windows Hello for Business - D - WHfB Configuration - v3.2

Win - OIB - ES - Windows LAPS - D - LAPS Configuration - v3.1

Table 23. Basics - Win - OIB - ES - Windows LAPS - D - LAPS Configuration - v3.1

Table 24. Settings - Win - OIB - ES - Windows LAPS - D - LAPS Configuration - v3.1

Win - OIB - ES - Windows LAPS - D - LAPS Configuration (24H2+) - v3.6

Table 25. Basics - Win - OIB - ES - Windows LAPS - D - LAPS Configuration (24H2+) - v3.6

Table 26. Settings - Win - OIB - ES - Windows LAPS - D - LAPS Configuration (24H2+) - v3.6

Win - OIB - SC - Credential Management - D - Passwordless - v3.3

Table 27. Basics - Win - OIB - SC - Credential Management - D - Passwordless - v3.3

Table 28. Settings - Win - OIB - SC - Credential Management - D - Passwordless - v3.3

Win - OIB - SC - Defender Antivirus - D - Additional Configuration - v3.6

Table 29. Basics - Win - OIB - SC - Defender Antivirus - D - Additional Configuration - v3.6

Table 30. Settings - Win - OIB - SC - Defender Antivirus - D - Additional Configuration - v3.6

Win - OIB - SC - Device Security - D - Administrator Protection - v3.5

Table 31. Basics - Win - OIB - SC - Device Security - D - Administrator Protection - v3.5

Table 32. Settings - Win - OIB - SC - Device Security - D - Administrator Protection - v3.5

Win - OIB - SC - Device Security - D - Audit and Event Logging - v3.1

Table 33. Basics - Win - OIB - SC - Device Security - D - Audit and Event Logging - v3.1

Table 34. Settings - Win - OIB - SC - Device Security - D - Audit and Event Logging - v3.1

Win - OIB - SC - Device Security - D - Config Refresh - v3.2

Table 35. Basics - Win - OIB - SC - Device Security - D - Config Refresh - v3.2

Table 36. Settings - Win - OIB - SC - Device Security - D - Config Refresh - v3.2

Win - OIB - SC - Device Security - D - Enhanced Phishing Protection - v3.0

Table 37. Basics - Win - OIB - SC - Device Security - D - Enhanced Phishing Protection - v3.0

Table 38. Settings - Win - OIB - SC - Device Security - D - Enhanced Phishing Protection - v3.0

Win - OIB - SC - Device Security - D - Local Security Policies - v3.0

Table 39. Basics - Win - OIB - SC - Device Security - D - Local Security Policies - v3.0

Table 40. Settings - Win - OIB - SC - Device Security - D - Local Security Policies - v3.0

Win - OIB - SC - Device Security - D - Local Security Policies (24H2+) - v3.6

Table 41. Basics - Win - OIB - SC - Device Security - D - Local Security Policies (24H2+) - v3.6

Table 42. Settings - Win - OIB - SC - Device Security - D - Local Security Policies (24H2+) - v3.6

Win - OIB - SC - Device Security - D - Location and Privacy - v3.2

Table 43. Basics - Win - OIB - SC - Device Security - D - Location and Privacy - v3.2

Table 44. Settings - Win - OIB - SC - Device Security - D - Location and Privacy - v3.2

Win - OIB - SC - Device Security - D - Login and Lock Screen - v3.1

Table 45. Basics - Win - OIB - SC - Device Security - D - Login and Lock Screen - v3.1

Table 46. Settings - Win - OIB - SC - Device Security - D - Login and Lock Screen - v3.1

Win - OIB - SC - Device Security - D - Remote Desktop Services and RPC - v3.0

Table 47. Basics - Win - OIB - SC - Device Security - D - Remote Desktop Services and RPC - v3.0

Table 48. Settings - Win - OIB - SC - Device Security - D - Remote Desktop Services and RPC - v3.0

Win - OIB - SC - Device Security - D - Script File Associations - v3.4

Table 49. Basics - Win - OIB - SC - Device Security - D - Script File Associations - v3.4

Table 50. Settings - Win - OIB - SC - Device Security - D - Script File Associations - v3.4

334 KiB

Raw Permalink Blame History