Baseline default: Disable Not all settings are documented, and wont be documented. Allowed. Baseline default: Disabled Baseline default: Disabled If the following registry value does not exist or is not configured as specified, this is a finding. Learn more, Block heap termination on corruption: Baseline default: Disabled Refuse LM and NTLM Baseline default: 32768 To summarize: Create the Windows kiosk settings profile to run the device in kiosk mode. Baseline default: Enabled Typically, users are shown an Azure AD sign in window. Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts CSP. Learn more, Unencrypted traffic: When set to Not configured (default), Intune doesn't change or update this setting. GDI DPI scaling is turned on for all legacy applications in your list. When set to Not configured (default), Intune doesn't change or update this setting. For that, we simply drag the EXE file we want to start to this BAT file on the desktop. Navigate to the below path in the Windows machine. Baseline default: Yes Baseline default: Success and Failure, Account Logon Audit Kerberos Authentication Service (Device): These images are shown as links in the Windows Start menu for desktop devices. Learn more, BitLocker removable drive policy: With this connection, your support staff can remote connect to the user's device. Required extensions: Choose which extensions can't be turned off by users in Microsoft Edge. No (default) allows users to use Microsoft Edge. When the value is blank, Intune doesn't change or update this setting. When set to Not configured (default), Intune doesn't change or update this setting. 2 comments Contributor JeremyTBradshaw commented on Feb 26, 2021 ID: 8f0f4d5d-fdd1-22e7-6372-9916b199209f Version Independent ID: caeb9f8b-30ad-7f02-4740-56522b2f9b1b Learn more, Internet Explorer internet zone copy and paste via script: By default, the OS might let users create simple passwords. Baseline default: Block Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer registry subkey. Baseline default: Yes Disable may also affect some enrollment scenarios that rely on users to complete the enrollment. Behavior monitoring: Enable turns on behavior monitoring, and checks for certain known patterns of suspicious activity on devices. During a quick scan, mapped network drives may still be scanned. The name of the area, in the Policy CSP, simply translates to the location in the local group policies. Trusted app installation: Choose if non-Microsoft Store apps can be installed, also known as sideloading. By default, the OS might allow app and content suggestions from partners, and show suggested apps in the Start menu, and Windows tips. Don't configure the Time to perform a daily quick scan setting simultaneously with the Type of system scan to perform set to Quick scan. Learn more, Internet Explorer locked down intranet zone java permissions: Learn more, Internet Explorer internet zone do not run antimalware against ActiveX controls: Or, Export the package family names you enter. Not natively inside of Intune, no -- the usual suggestions you'll see will be. Baseline default: Enable Windows Hello device authentication: Allow users to use a Windows Hello companion device, such as a phone, fitness band, or IoT device, to sign in to a Windows 10/11 computer. If you disable this policy, a Windows app can't share app data with other instances of that app. Become read-only. Default is 5 minutes. Account Logon Audit Credential Validation (Device): Submit samples consent: Currently, this setting has no impact. Learn more, Prompt for password upon connection: Baseline default: Disable Bluetooth/AllowPromptedProximalConnections CSP. Region settings modification (desktop only): Block prevents users from changing the region settings on the device. These settings use the personalization policy CSP, which also lists the supported Windows editions. If you choose No, the other individual settings only apply to desktop. Administrators can use the EdgeHomepageUrls to enter the start pages that users see by default when open Microsoft Edge. When set to Not configured (default), Intune doesn't change or update this setting. Baseline default: Disabled Baseline default: Enabled If you disable or do not configure this policy, all users will be able to initiate installation of Windows app packages. No prevents users from opening InPrivate browsing sessions. Learn more, Block Office applications from injecting code into other processes: Baseline default: High safety Different baseline types, like the MDM security and the Defender for Endpoint baselines, could also set different defaults. By default, the OS might show the most used apps. Baseline default: Disabled Baseline default: Enabled Baseline default: Enabled Learn more, Remove matching hardware devices: Password expiration (days): Enter the length of time in days when the device password must be changed, from 1-365. Allow InPrivate browsing: Yes (default) allows InPrivate browsing in Microsoft Edge. Baseline default: 32768 Learn more, Internet Explorer restricted zone access to data sources: Go to "Start -> Settings -> Accounts -> Your Info.". By default, the OS might turn on this setting, and allow users to change it. The format for this setting is server:port. Learn more, Block unverified file download: These settings use the NetworkProxy policy CSP, which also lists the supported Windows editions. The OS searches and installs matching printer drivers for each printer on the device. ApplicationManagement/AllowAllTrustedApps CSP. Cortana: Block disable the Cortana voice assistant on the device. When set to Not configured (default), Intune doesn't change or update this setting. Baseline default: Disabled Users can't turn off this setting. Administrators who wish to install an app will need to do so from an Administrator context (for example, an Administrator PowerShell window). Edit the Policy, where you have created the package. After you update a profile to the current baseline version, you can edit the profile to modify settings. When set to Not configured (default), Intune doesn't change or update this setting. Baseline default: Disabled Learn more, Internet Explorer ignore certificate errors: These settings use the search policy CSP, which also lists the supported Windows editions. Add provisioning packages: Block prevents the run time configuration agent that installs provisioning packages on the device. Learn more, Administrator elevation prompt behavior: For information about recent changes for Windows Telemetry, see Changes to Windows diagnostic data collection. All users will still be able to install Windows app packages via the Microsoft Store, if permitted by other policies. Send intranet traffic to Internet Explorer (Desktop only): Yes lets users open intranet websites in Internet Explorer instead of Microsoft Edge. Again I have some questions .. The setting becomes effective the next time the device is wiped or reset. Learn more, Enter how often (0-24 hours) to check for security intelligence updates Those local group policy settings can be found at Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options. For example, enter https://contoso.com/logo.png. End processes from Task Manager: This setting determines whether non-administrators can use Task Manager to end tasks. Learn more, Block simple passwords: You can continue to use those profiles but can't edit them to change their configuration. ApplicationManagement/AllowSharedUserAppData CSP. This setting is only available when running in Normal mode (multi-app kiosk). Direct Memory Access: Block prevents direct memory access (DMA) for all hot pluggable PCI downstream ports until a user signs into Windows. Learn more, Internet Explorer internet zone popup blocker: Setting this policy directs Windows Installer to use system permissions when it installs the application on the system. Baseline default: Disable For example, enter https://contoso.com/image.png. By default, the OS might not give users this option. By default, the OS might allow users to ignore the warnings, and continue to download the unverified files. Experience/AllowWindowsSpotlightWindowsWelcomeExperience CSP. NFC: Block prevents near field communications (NFC) capabilities. Lid close (mobile only): When the device is using battery power, choose what happens when the lid is closed. Baseline default: Yes These settings use the display policy CSP, which also lists the supported Windows editions. Baseline default: Block Baseline default: Block Disabled: Sets the Microsoft Sign-in Assistant service (wlidsvc) to Disabled, and prevents users from manually starting it. Learn more, Virtualization based security: ApplicationManagement/LaunchAppAfterLogOn CSP. Baseline default: Disable When set to Not configured (default), Intune doesn't change or update this setting. Security/PreventAutomaticDeviceEncryptionForAzureADJoinedDevices CSP. If your goal is to minimize network traffic from devices, then select Yes. Your options: HomeGroup on Start: Hide or show the HomeGroup shortcut in the Windows Start menu. Action center notifications (mobile only): Block prevents Action Center notifications from showing on the device lock screen. Removable drive indexing: Block prevents locations on removable drives from being added to libraries, and from being indexed. This can be exploited by an attacker in order to escalate his privileges to gain control over system and perform malicious acts. 3. Baseline default: Configure If Windows Installer detects that an installation package has permitted the user to change a protected option, it stops the installation and displays a message. Some recommendations: If you want to schedule a daily quick scan, and a weekly full scan, then: If you only want one quick scan daily (no full scan), then use either setting: Time to perform a daily quick scan or Type of system scan to perform. Baseline default: Block Enter a value from 1 (most frequent) to 500 (least frequent). By default, the system might apply the current user's permissions when it installs programs that a system administrator doesn't deploy or offer. Baseline default: Success and Failure, Audit Authentication Policy Change (Device): You'll probably need to decide which groups to put them in and have Power User / User / Admin, etc. Baseline default: Enabled This setting directs Windows Installer to use system permissions when it installs any program . Install apps with elevated privileges: Block directs Windows Installer to use elevated permissions when it installs any program on the system. Experience/AllowWindowsSpotlightOnActionCenter CSP. and you will get a PowerShell which is automatically elevated (as long as you run the Windows default UAC settings): . When set to Not configured (default), Intune doesn't change or update this setting. This folder is available through the Windows. Be sure to use a semi-colon delimited list of Package Family Names (PFN) of Windows applications. Baseline default: 15 Learn more, Internet Explorer internet zone logon options: Baseline default: Yes Baseline default: Disabled Baseline default: Disabled When set to Not configured (default), Intune doesn't change or update this setting. When set to Not configured (default), Intune doesn't change or update this setting. Network Internet: Block prevents access to the Network & Internet area of the Settings app on the device. This feature controls what data Microsoft Edge sends to Microsoft 365 Analytics for enterprise devices with a configured commercial ID. Only exclude files you know aren't malicious. If you allow these services, Microsoft might collect voice data to improve the service. When set to Not configured (default), Intune doesn't change or update this setting. Send do-not-track headers: Yes sends do-not-track headers to websites requesting tracking info (recommended). Baseline default: Enable When set to Not configured (default), Intune doesn't change or update this setting. Baseline default: Enabled Your options: SmartScreen for Microsoft Edge: Require turns on Microsoft Defender SmartScreen, and prevents users from turning it off. Automatic encryption during AADJ: Block prevents automatic BitLocker device encryption when devices are prepared for first use, and when devices are Azure AD joined. By default, the OS might let Microsoft Defender choose the best option. When set to Not configured (default), Intune doesn't change or update this setting. Federal Information Processing Standard (FIPS) policy: Allow uses the Federal Information Processing Standard (FIPS) policy, which is a U.S. government standard for encryption, hashing, and signing. By default, the OS might set it to 70%.