|
1 | 1 | # OIB Windows Change Log |
2 | 2 |
|
| 3 | +# Windows v3.6 - 2025-05-13 - Post-MMS Edition |
| 4 | +## Added |
| 5 | +### Settings Catalog |
| 6 | +**Win - OIB - SC - Microsoft Office - D - Device Security - v3.6** |
| 7 | +**Win - OIB - SC - Microsoft Office - U - User Security - v3.6** |
| 8 | +By popular demand, I've added a new set of policies to help secure Microsoft Office on Windows devices. These policies are based on the most recent [Microsoft 365 Apps Security Baseline v2412](https://learn.microsoft.com/en-us/microsoft-365-apps/security/security-baseline) and are designed to enhance the security posture of Office applications. |
| 9 | + |
| 10 | +I have split the policies into two separate profiles: one for Device Security and one for User Security. This allows for more granular control over the security settings applied to Office applications if required. |
| 11 | + |
| 12 | +> [!IMPORTANT] |
| 13 | +> These policies are only applicable to Microsoft 365 Apps for Enterprise (included with M365 E*/A*/F*), **not** Microsoft 365 Apps for Business (included with M365 Business Premium). |
| 14 | +> This behaviour is [documented here](https://learn.microsoft.com/en-us/microsoft-365-apps/admin-center/overview-cloud-policy#:~:text=You%20can%20create%20a%20policy%20configuration%20for%20Microsoft%20365%20Apps%20for%20business%2C%20but%20only%20policy%20settings%20related%20to%20privacy%20controls%20are%20supported) |
| 15 | +
|
| 16 | +>[!WARNING] |
| 17 | +> The M365 Apps Security Baseline disables a number of features that may impact user experience, such the use macros, add-ins. Please review the settings and test in a controlled environment before deploying widely! |
| 18 | +
|
| 19 | +**Win - OIB - SC - Device Security - D - Local Security Policies (24H2+) - v3.6** |
| 20 | +* Exact duplicate of the existing Local Security Policies profile with one difference to support the new LAPS settings while maintaining a good security posture. |
| 21 | + * Accounts Enable Administrator Account Status - `Disable` |
| 22 | + |
| 23 | +### Endpoint Security |
| 24 | +**Win - OIB - ES - Windows LAPS - D - LAPS Configuration (24H2+) - v3.6** |
| 25 | +* Added the following settings to benefit from the new 24H2 LAPS configuration: |
| 26 | + * Backup Directory - Backup the password to Azure AD only |
| 27 | + * Password Age (Days) - 7 |
| 28 | + * Password Complexity - Passphrase (short words with unique prefixes) |
| 29 | + * Passphrase Length - 4 |
| 30 | + * Password Length - 21 |
| 31 | + * Post-Authentication Actions - Reset the password, logoff the managed account, and terminate any remaining processes |
| 32 | + * Post-Authentication Reset Delay (Hours) - 1 |
| 33 | + * Automatic Account Management Enabled - The target account will be automatically managed |
| 34 | + * Automatic Account Management Enable Account - The target account will be automatically managed |
| 35 | + * Automatic Account Management Randomize Name - The name of the target account will not use a random numeric suffix |
| 36 | + * Automatic Account Management Target - Manage a new custom administrator account |
| 37 | + |
| 38 | + |
| 39 | +## Changed/Updated |
| 40 | +### Settings Catalog |
| 41 | +**Win - OIB - SC - Defender Antivirus - D - Additional Configuration** |
| 42 | +* Added newly added setting from the 24H2 Security Baseline: |
| 43 | + * Enable Dynamic Signature Dropped Event Reporting - `Dynamic Security intelligence update events will be reported.` |
| 44 | + |
| 45 | +**Win - OIB - SC - Device Security - D - Security Hardening** |
| 46 | +* Added additional settings now available from the 24H2 Security Baseline: |
| 47 | + |
| 48 | + **Lanman Server** |
| 49 | + * Audit Client Does Not Support Encryption - `Enabled` |
| 50 | + * Audit Client Does Not Support Signing - `Enabled` |
| 51 | + * Audit Insecure Guest Logon - `Enabled` |
| 52 | + * Auth Rate Limiter Delay In Ms - `2000` |
| 53 | + * Enable Auth Rate Limiter - `Enabled` |
| 54 | + * Enable Mailslots - `Disabled` |
| 55 | + * Max Smb2 Dialect - `SMB 3.0.0` |
| 56 | + * Min Smb2 Dialect - `SMB 3.1.1` |
| 57 | + |
| 58 | + **Lanman Workstation** |
| 59 | + * Audit Server Does Not Support Encryption - `Enabled` |
| 60 | + * Audit Server Does Not Support Signing - `Enabled` |
| 61 | + * Audit Insecure Guest Logon - `Enabled` |
| 62 | + * Enable Mailslots - `Disabled` |
| 63 | + * Max Smb2 Dialect - `SMB 3.0.0` |
| 64 | + * Min Smb2 Dialect - `SMB 3.1.1` |
| 65 | + * Require Encryption - `Disabled` |
| 66 | + |
| 67 | +**Win - OIB - SC - Device Security - U - Power and Device Lock** |
| 68 | +* Removed following settings as they have been removed from the CIS recommendations: |
| 69 | + * Allow standby states (S1-S3) when sleeping (on battery) |
| 70 | + * Allow standby states (S1-S3) when sleeping (plugged in) |
| 71 | + * Allow Hibernate |
| 72 | + * Require use of fast startup |
| 73 | + |
| 74 | +**Win - OIB - SC - Microsoft Edge - D - Security** |
| 75 | +* Added the following settings from the Microsoft Edge baseline and CIS Edge Benchmark: |
| 76 | + * Allow download restrictions - `Block Malicious Downloads` (Reduced from "Block malicious downloads and dangerous file types") |
| 77 | + * Automatically open downloaded MHT or MHTML files from the web in Internet Explorer mode - `Disabled` |
| 78 | + * Dynamic Code Settings - `Enabled` |
| 79 | + *Dynamic Code Settings (Device) - `Default Dynamic Code Settings` |
| 80 | + * Enable Application Bound Encryption - `Enabled` |
| 81 | + * Enable browser legacy extension point blocking - `Enabled` |
| 82 | + * Enable site isolation for every site - `Enabled` |
| 83 | + * Enhance the security state in Microsoft Edge - `Enabled` |
| 84 | + * Enhance the security state in Microsoft Edge (Device) - `Balanced Mode` |
| 85 | + * Show the Reload in Internet Explorer mode button in the toolbar - `Disabled` |
| 86 | + * Specifies whether to allow insecure websites to make requests to more-private network endpoints - `Disabled` |
| 87 | + |
| 88 | +* Added the following setting to turn on the new [Scareware Protection](https://blogs.windows.com/msedgedev/2025/01/27/stand-up-to-scareware-with-scareware-blocker/) feature. |
| 89 | + * Configure Edge Scareware Blocker Protection - `Enabled` |
| 90 | + |
| 91 | +**Win - OIB - SC - Microsoft Edge - D - Updates** |
| 92 | +* Added "Set the time period for update notifications" configured to `259200000` which is the time in milliseconds (72 hours) before Edge forces a restart to apply a pending update. |
| 93 | + |
| 94 | +**Win - OIB - SC - Microsoft Edge - U - User Experience** |
| 95 | +* Removed "Enable full-tab promotional content" as it was deprecated. |
| 96 | +* Added "Enable Gamer Mode" set to `Disabled` |
| 97 | + |
| 98 | +**Win - OIB - SC - Microsoft Office - U - Config and Experience** |
| 99 | +* Removed deprecated version of "Allow users to receive and respond to in-product surveys from Microsoft". |
| 100 | + |
| 101 | +**Win - OIB - SC - Windows User Experience - U - Copilot** |
| 102 | +* Changed "Turn Off Copilot in Windows" from "Enable Copilot" to "Disable Copilot". |
| 103 | +> [!NOTE] |
| 104 | +> This only impacts the old experience. I recommend also deploying the "Microsoft Copilot" app (9NHT9RB2F4HD) as a required uninstall. |
| 105 | +> https://learn.microsoft.com/en-gb/windows/client-management/manage-windows-copilot#policy-information-for-previous-copilot-in-windows-preview-experience |
| 106 | +
|
| 107 | +--- |
| 108 | + |
3 | 109 | # Windows v3.5 - 2025-02-20 - 24H2 Baseline Edition (Mostly) |
4 | 110 | ## Added |
5 | 111 | ### Settings Catalog |
|
0 commit comments