|
|
|---|---|
|
Contents
No table of contents entries found.
Device Configuration (ADMX)
This section contains a list of all device configuration profiles which are backed by ADMX available in Intune.
Microsoft Edge Policy
| Property | Value |
| createdDateTime | 02/26/2024 17:30:37 |
| displayName | Microsoft Edge Policy |
| description | |
| roleScopeTagIds | 0 |
| policyConfigurationIngestionType | builtIn |
| id | 3f39503f-bfc5-4da1-a731-d68e21aa04d6 |
| lastModifiedDateTime | 02/26/2024 17:30:38 |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Users | - | BuilIn | - | - | Include | |
| All Devices | - | BuilIn | - | - | Include |
Settings
| DisplayName | Scope | Path | SupportedOn | State | Value |
| Configure extension installation allow list | machine | \Google\Google Chrome\Extensions | Microsoft Windows 7 or later | Enabled | |
| Configure extension installation allow list | user | \Google\Google Chrome\Extensions | Microsoft Windows 7 or later | Enabled |
Turn off Autoplay
Turns off autoplay for all drives
| Property | Value |
| createdDateTime | 11/04/2022 19:06:01 |
| displayName | Turn off Autoplay |
| description | Turns off autoplay for all drives |
| roleScopeTagIds | 0 |
| policyConfigurationIngestionType | builtIn |
| id | e23a8a72-0f21-460f-820e-e5edf9e5fdb2 |
| lastModifiedDateTime | 11/04/2022 19:06:01 |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Users | - | BuilIn | - | - | Include | |
| All Devices | - | BuilIn | - | - | Include |
Settings
| DisplayName | Scope | Path | SupportedOn | State | Value |
| Turn off Autoplay | machine | \Windows Components\AutoPlay Policies | At least Windows 2000 | Enabled | 255 |
Apple Configuration
This section contains the Apple specific Intune configuration. The following Apple push notification certificate is configured:
| Property | Value |
| @odata.context | https://graph.microsoft.com/v1.0/\(metadata\#deviceManagement/applePushNotificationCertificate/\)entity |
| id | 17c54a4c-79a3-4f5e-9baf-4b9ac17a38bc |
| appleIdentifier | rex.linder@xentermd.com |
| topicIdentifier | com.apple.mgmt.External.e12d1b2e-b9d1-47ab-adf5-571830b4eca6 |
| lastModifiedDateTime | 05/21/2024 21:54:06 |
| expirationDateTime | 05/21/2025 21:43:35 |
| certificateUploadStatus | |
| certificateUploadFailureReason | |
| certificateSerialNumber | 00E1C6C8C4AC5848 |
| certificate |
Autopilot Profiles
This section contains a list of all Autopilot Profiles available in Intune.
Conference Rooms
Configure single app kiosk mode for Zoom Rooms.
| Property | Value |
| @odata.type | #microsoft.graph.azureADWindowsAutopilotDeploymentProfile |
| id | 42d09e04-afa2-4623-bda9-87cb2a23cc48 |
| displayName | Conference Rooms |
| description | Configure single app kiosk mode for Zoom Rooms. |
| language | en-US |
| locale | en-US |
| createdDateTime | 07/27/2023 19:15:01 |
| lastModifiedDateTime | 07/28/2023 19:39:25 |
| enrollmentStatusScreenSettings | |
| extractHardwareHash | True |
| hardwareHashExtractionEnabled | True |
| deviceNameTemplate | XMD-%SERIAL% |
| deviceType | windowsPc |
| enableWhiteGlove | |
| preprovisioningAllowed | |
| roleScopeTagIds | 0 |
| managementServiceAppId | |
| outOfBoxExperienceSettings | @{hidePrivacySettings=True; hideEULA=True; userType=standard; deviceUsageType=shared; skipKeyboardSelectionPage=True; hideEscapeLink=True} |
| outOfBoxExperienceSetting | @{privacySettingsHidden=True; eulaHidden=True; userType=standard; deviceUsageType=shared; keyboardSelectionPageSkipped=True; escapeLinkHidden=True} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| Conference Rooms | 1 | Static | (device.devicePhysicalIDs -any (_ -contains “[ZTDID]”)) and (device.devicePhysicalIds -contains “[OrderID]:conferenceroom”) | - | direct | Include |
User Devices
General provisioning that applies to employee devices.
| Property | Value |
| @odata.type | #microsoft.graph.azureADWindowsAutopilotDeploymentProfile |
| id | ace3d212-4bc5-4475-bca8-8bde1ad1b8d3 |
| displayName | User Devices |
| description | General provisioning that applies to employee devices. |
| language | os-default |
| locale | os-default |
| createdDateTime | 06/13/2023 21:58:47 |
| lastModifiedDateTime | 07/27/2023 18:53:46 |
| enrollmentStatusScreenSettings | |
| extractHardwareHash | True |
| hardwareHashExtractionEnabled | True |
| deviceNameTemplate | XMD-%SERIAL% |
| deviceType | windowsPc |
| enableWhiteGlove | True |
| preprovisioningAllowed | True |
| roleScopeTagIds | 0 |
| managementServiceAppId | |
| outOfBoxExperienceSettings | @{hidePrivacySettings=True; hideEULA=True; userType=standard; deviceUsageType=singleUser; skipKeyboardSelectionPage=True; hideEscapeLink=True} |
| outOfBoxExperienceSetting | @{privacySettingsHidden=True; eulaHidden=True; userType=standard; deviceUsageType=singleUser; keyboardSelectionPageSkipped=True; escapeLinkHidden=True} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| Employee Computers | 1 | DynamicDevice | (device.devicePhysicalIDs -any (_ -contains “[ZTDID]”)) and (device.devicePhysicalIds -notContains “[OrderID]:conferenceroom”) | - | direct | Include |
Compliance Policies
This section contains a list of all compliances policies available in Intune.
Default Windows 10 Compliance Policy
| Property | Value |
| @odata.type | #microsoft.graph.windows10CompliancePolicy |
| roleScopeTagIds | 0 |
| id | 191dfb82-e574-433c-9417-ae34027cd131 |
| createdDateTime | 08/14/2020 22:10:50 |
| description | |
| lastModifiedDateTime | 06/29/2023 22:19:18 |
| displayName | Default Windows 10 Compliance Policy |
| version | 6 |
| passwordRequired | |
| passwordBlockSimple | |
| passwordRequiredToUnlockFromIdle | |
| passwordMinutesOfInactivityBeforeLock | |
| passwordExpirationDays | |
| passwordMinimumLength | |
| passwordMinimumCharacterSetCount | |
| passwordRequiredType | deviceDefault |
| passwordPreviousPasswordBlockCount | |
| requireHealthyDeviceReport | |
| osMinimumVersion | 10.0.19042.1706 |
| osMaximumVersion | |
| mobileOsMinimumVersion | |
| mobileOsMaximumVersion | |
| earlyLaunchAntiMalwareDriverEnabled | |
| bitLockerEnabled | True |
| secureBootEnabled | True |
| codeIntegrityEnabled | True |
| memoryIntegrityEnabled | |
| kernelDmaProtectionEnabled | |
| virtualizationBasedSecurityEnabled | |
| firmwareProtectionEnabled | |
| storageRequireEncryption | True |
| activeFirewallRequired | True |
| defenderEnabled | True |
| defenderVersion | 4.18.1909.6 |
| signatureOutOfDate | True |
| rtpEnabled | True |
| antivirusRequired | True |
| antiSpywareRequired | True |
| deviceThreatProtectionEnabled | True |
| deviceThreatProtectionRequiredSecurityLevel | medium |
| configurationManagerComplianceRequired | |
| tpmRequired | True |
| deviceCompliancePolicyScript | |
| validOperatingSystemBuildRanges | |
| wslDistributions |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Users | - | BuilIn | - | - | direct | Include |
Default compliance policy for Android
900f8baa-812e-4886-a598-61f73001bae8
| Property | Value |
| @odata.type | #microsoft.graph.androidCompliancePolicy |
| roleScopeTagIds | 0 |
| id | 6351f163-7d4c-d232-81d6-5c3b8f29fcfe |
| createdDateTime | 04/30/2020 03:52:01 |
| description | 900f8baa-812e-4886-a598-61f73001bae8 |
| lastModifiedDateTime | 06/29/2023 22:52:58 |
| displayName | Default compliance policy for Android |
| version | 3 |
| passwordRequired | |
| passwordMinimumLength | |
| passwordRequiredType | deviceDefault |
| requiredPasswordComplexity | none |
| passwordMinutesOfInactivityBeforeLock | 15 |
| passwordExpirationDays | |
| passwordPreviousPasswordBlockCount | |
| passwordSignInFailureCountBeforeFactoryReset | |
| securityPreventInstallAppsFromUnknownSources | True |
| securityDisableUsbDebugging | True |
| securityRequireVerifyApps | True |
| deviceThreatProtectionEnabled | True |
| deviceThreatProtectionRequiredSecurityLevel | secured |
| advancedThreatProtectionRequiredSecurityLevel | medium |
| securityBlockJailbrokenDevices | True |
| securityBlockDeviceAdministratorManagedDevices | True |
| osMinimumVersion | 12 |
| osMaximumVersion | |
| minAndroidSecurityPatchLevel | |
| storageRequireEncryption | True |
| securityRequireSafetyNetAttestationBasicIntegrity | True |
| securityRequireSafetyNetAttestationCertifiedDevice | True |
| securityRequireGooglePlayServices | True |
| securityRequireUpToDateSecurityProviders | True |
| securityRequireCompanyPortalAppIntegrity | True |
| conditionStatementId | |
| restrictedApps |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| 0 | Static | - | - | direct | Include |
Device Configuration Policies (Settings Catalog)
This section contains a list of all device configuration policies available in Intune.
Attack Surface Reduction Rules
Consolidated rules for attack surface reduction.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 08/04/2023 20:37:10 | Migration_DI_643b593b-bf98-4d22-adfc-b2374fddb13c | Consolidated rules for attack surface reduction. | 12/13/2024 18:05:59 | Attack Surface Reduction Rules | windows10 | 0 | 5 | mdm,microsoftSense | 2b4307b1-9283-4e43-85ee-7c2d53441a7f | @{templateId=e8c053d6-9f95-42b1-a7f1-ebfd71c67a4b_1; templateFamily=endpointSecurityAttackSurfaceReduction; templateDisplayName=Attack Surface Reduction Rules; templateDisplayVersion=Version 1} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Users | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Attack Surface Reduction Only Exclusions | device_vendor_msft_policy_config_defender_attacksurfacereductiononlyexclusions | Defender | C:\Program Files (x86)\KnowBe4\Second Chance\ | |
| Block process creations originating from PSExec and WMI commands | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockprocesscreationsfrompsexecandwmicommands | Defender | block | Block |
| Block Adobe Reader from creating child processes | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses | Defender | block | Block |
| Block executable content from email client and webmail | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablecontentfromemailclientandwebmail | Defender | audit | Audit |
| Block all Office applications from creating child processes | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses | Defender | block | Block |
| Block Office communication application from creating child processes | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficecommunicationappfromcreatingchildprocesses | Defender | block | Block |
| Block execution of potentially obfuscated scripts | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts | Defender | block | Block |
| Block Win32 API calls from Office macros | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros | Defender | block | Block |
| Block executable files from running unless they meet a prevalence, age, or trusted list criterion | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablefilesrunningunlesstheymeetprevalenceagetrustedlistcriterion | Defender | audit | Audit |
| Block credential stealing from the Windows local security authority subsystem | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem | Defender | block | Block |
| Block JavaScript or VBScript from launching downloaded executable content | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent | Defender | audit | Audit |
| Block untrusted and unsigned processes that run from USB | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuntrustedunsignedprocessesthatrunfromusb | Defender | block | Block |
| Block persistence through WMI event subscription | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockpersistencethroughwmieventsubscription | Defender | audit | Audit |
| Block abuse of exploited vulnerable signed drivers (Device) | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockabuseofexploitedvulnerablesigneddrivers | Defender | block | Block |
| Block Office applications from creating executable content | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfromcreatingexecutablecontent | Defender | audit | Audit |
| Block Office applications from injecting code into other processes | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfrominjectingcodeintootherprocesses | Defender | block | Block |
| Use advanced protection against ransomware | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_useadvancedprotectionagainstransomware | Defender | block | Block |
| Enable Controlled Folder Access | device_vendor_msft_policy_config_defender_enablecontrolledfolderaccess | Defender | 2 | Audit Mode |
| Controlled Folder Access Protected Folders | device_vendor_msft_policy_config_defender_controlledfolderaccessprotectedfolders | Defender | C:\Users | |
| Controlled Folder Access Allowed Applications | device_vendor_msft_policy_config_defender_controlledfolderaccessallowedapplications | Defender | System.Object[] |
Block process creation PSExec and WMI
Block process creations originating from PSExec and WMI commands
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 11/04/2022 19:13:51 | Block process creations originating from PSExec and WMI commands | 11/04/2022 19:13:51 | Block process creation PSExec and WMI | windows10 | 0 | 1 | mdm,microsoftSense | f0c85af1-422f-4bee-83cd-460581bb4bc7 | @{templateId=e8c053d6-9f95-42b1-a7f1-ebfd71c67a4b_1; templateFamily=endpointSecurityAttackSurfaceReduction; templateDisplayName=Attack Surface Reduction Rules; templateDisplayVersion=Version 1} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Users | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Block process creations originating from PSExec and WMI commands | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockprocesscreationsfrompsexecandwmicommands | Defender | block | Block |
BlockAdobeCreateChildProcess
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 05/31/2022 16:42:35 | 12/05/2022 21:05:20 | BlockAdobeCreateChildProcess | windows10 | 0 | 1 | mdm,microsoftSense | ef304928-5e58-4e29-b180-7251d52f76f4 | @{templateId=e8c053d6-9f95-42b1-a7f1-ebfd71c67a4b_1; templateFamily=endpointSecurityAttackSurfaceReduction; templateDisplayName=Attack Surface Reduction Rules; templateDisplayVersion=Version 1} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Users | - | BuilIn | - | - | direct | Include |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Block Adobe Reader from creating child processes | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses | Defender | audit | Audit |
BlockExecutableFromEmail Audit
Block executable content from email client and webmail
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 11/04/2022 21:43:09 | Block executable content from email client and webmail | 11/04/2022 21:43:09 | BlockExecutableFromEmail Audit | windows10 | 0 | 1 | mdm,microsoftSense | 49bbc575-9998-4471-9fef-b1b1c8aa2ce0 | @{templateId=e8c053d6-9f95-42b1-a7f1-ebfd71c67a4b_1; templateFamily=endpointSecurityAttackSurfaceReduction; templateDisplayName=Attack Surface Reduction Rules; templateDisplayVersion=Version 1} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Users | - | BuilIn | - | - | direct | Include |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Block executable content from email client and webmail | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablecontentfromemailclientandwebmail | Defender | audit | Audit |
BlockOfficeCreateProcessRule
Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability:
https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 05/31/2022 16:36:53 | Guidance for CVE-2022-30190 Microsoft Support Diagnostic Tool Vulnerability: https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ | 05/31/2022 19:03:07 | BlockOfficeCreateProcessRule | windows10 | 0 | 1 | mdm,microsoftSense | 6f656fbb-cc2b-471f-a87d-0758685d6d35 | @{templateId=e8c053d6-9f95-42b1-a7f1-ebfd71c67a4b_1; templateFamily=endpointSecurityAttackSurfaceReduction; templateDisplayName=Attack Surface Reduction Rules; templateDisplayVersion=Version 1} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Users | - | BuilIn | - | - | direct | Include |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Block Office communication application from creating child processes | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficecommunicationappfromcreatingchildprocesses | Defender | audit | Audit |
| Block all Office applications from creating child processes | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses | Defender | audit | Audit |
CIS Administrative Template
Section 3 of CIS L1. This does not cover the Bitlock (BL) settings covered in section 3 of CIS. Certain options regarding Microsoft account have been ignored as we still use Microsoft accounts.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 12/13/2024 23:40:59 | Section 3 of CIS L1. This does not cover the Bitlock (BL) settings covered in section 3 of CIS. Certain options regarding Microsoft account have been ignored as we still use Microsoft accounts. | 02/26/2025 16:45:18 | CIS Administrative Template | windows10 | 0 | 87 | mdm | d37cf123-126c-4286-ab62-b9b0c3668b36 | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Apply UAC restrictions to local accounts on network logons | device_vendor_msft_policy_config_mssecurityguide_applyuacrestrictionstolocalaccountsonnetworklogon | Administrative Templates\MS Security Guide | 1 | Enabled |
| Configure SMB v1 client driver | device_vendor_msft_policy_config_mssecurityguide_configuresmbv1clientdriver | Administrative Templates\MS Security Guide | 1 | Enabled |
| Configure SMB v1 server | device_vendor_msft_policy_config_mssecurityguide_configuresmbv1server | Administrative Templates\MS Security Guide | 0 | Disabled |
| Enable Structured Exception Handling Overwrite Protection (SEHOP) | device_vendor_msft_policy_config_mssecurityguide_enablestructuredexceptionhandlingoverwriteprotection | Administrative Templates\MS Security Guide | 1 | Enabled |
| WDigest Authentication (disabling may require KB2871997) | device_vendor_msft_policy_config_mssecurityguide_wdigestauthentication | Administrative Templates\MS Security Guide | 0 | Disabled |
| MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended) | device_vendor_msft_policy_config_admx_mss-legacy_pol_mss_autoadminlogon | Administrative Templates\MSS (Legacy) | 0 | Disabled |
| MSS: (DisableIPSourceRouting IPv6) IP source routing protection level (protects against packet spoofing) | device_vendor_msft_policy_config_msslegacy_ipv6sourceroutingprotectionlevel | Administrative Templates\MSS (Legacy) | 1 | Enabled |
| MSS: (DisableIPSourceRouting) IP source routing protection level (protects against packet spoofing) | device_vendor_msft_policy_config_msslegacy_ipsourceroutingprotectionlevel | Administrative Templates\MSS (Legacy) | 1 | Enabled |
| MSS: (EnableICMPRedirect) Allow ICMP redirects to override OSPF generated routes | device_vendor_msft_policy_config_msslegacy_allowicmpredirectstooverrideospfgeneratedroutes | Administrative Templates\MSS (Legacy) | 0 | Disabled |
| MSS: (NoNameReleaseOnDemand) Allow the computer to ignore NetBIOS name release requests except from WINS servers | device_vendor_msft_policy_config_msslegacy_allowthecomputertoignorenetbiosnamereleaserequestsexceptfromwinsservers | Administrative Templates\MSS (Legacy) | 1 | Enabled |
| MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended) | device_vendor_msft_policy_config_admx_mss-legacy_pol_mss_safedllsearchmode | Administrative Templates\MSS (Legacy) | 1 | Enabled |
| MSS: (ScreenSaverGracePeriod) The time in seconds before the screen saver grace period expires (0 recommended) | device_vendor_msft_policy_config_admx_mss-legacy_pol_mss_screensavergraceperiod | Administrative Templates\MSS (Legacy) | 1 | Enabled |
| MSS: (WarningLevel) Percentage threshold for the security event log at which the system will generate a warning | device_vendor_msft_policy_config_admx_mss-legacy_pol_mss_warninglevel | Administrative Templates\MSS (Legacy) | 1 | Enabled |
| Turn off multicast name resolution | device_vendor_msft_policy_config_admx_dnsclient_turn_off_multicast | Administrative Templates\Network\DNS Client | 1 | Enabled |
| Prohibit installation and configuration of Network Bridge on your DNS domain network | device_vendor_msft_policy_config_connectivity_prohibitinstallationandconfigurationofnetworkbridge | Administrative Templates\Network\Network Connections | 1 | Enabled |
| Prohibit use of Internet Connection Sharing on your DNS domain network | device_vendor_msft_policy_config_admx_networkconnections_nc_showsharedaccessui | Administrative Templates\Network\Network Connections | 1 | Enabled |
| Minimize the number of simultaneous connections to the Internet or a Windows Domain | device_vendor_msft_policy_config_admx_wcm_wcm_minimizeconnections | Administrative Templates\Network\Windows Connection Manager | 1 | Enabled |
| Prohibit connection to non-domain networks when connected to domain authenticated network | device_vendor_msft_policy_config_windowsconnectionmanager_prohitconnectiontonondomainnetworkswhenconnectedtodomainauthenticatednetwork | Administrative Templates\Network\Windows Connection Manager | 1 | Enabled |
| Allow Print Spooler to accept client connections | device_vendor_msft_policy_config_admx_printing2_registerspoolerremoterpcendpoint | Administrative Templates\Printers | 0 | Disabled |
| Point and Print Restrictions | device_vendor_msft_policy_config_printers_pointandprintrestrictions | Administrative Templates\Printers | 1 | Enabled |
| Turn off toast notifications on the lock screen (User) | user_vendor_msft_policy_config_admx_wpn_nolockscreentoastnotification | Administrative Templates\Start Menu and Taskbar\Notifications | 1 | Enabled |
| Include command line in process creation events | device_vendor_msft_policy_config_admx_auditsettings_includecmdline | Administrative Templates\System\Audit Process Creation | 1 | Enabled |
| Encryption Oracle Remediation | device_vendor_msft_policy_config_admx_credssp_allowencryptionoracle | Administrative Templates\System\Credentials Delegation | 1 | Enabled |
| Remote host allows delegation of non-exportable credentials | device_vendor_msft_policy_config_credentialsdelegation_remotehostallowsdelegationofnonexportablecredentials | Administrative Templates\System\Credentials Delegation | 1 | Enabled |
| Remove Change Password (User) | user_vendor_msft_policy_config_admx_ctrlaltdel_disablechangepassword | Administrative Templates\System\Ctrl+Alt+Del Options | 1 | Enabled |
| Prevent device metadata retrieval from the Internet | device_vendor_msft_policy_config_deviceinstallation_preventdevicemetadatafromnetwork | Administrative Templates\System\Device Installation | 1 | Enabled |
| Boot-Start Driver Initialization Policy | device_vendor_msft_policy_config_system_bootstartdriverinitialization | Administrative Templates\System\Early Launch Antimalware | 1 | Enabled |
| Configure registry policy processing | device_vendor_msft_policy_config_admx_grouppolicy_cse_registry | Administrative Templates\System\Group Policy | 1 | Enabled |
| Configure security policy processing | device_vendor_msft_policy_config_admx_grouppolicy_cse_security | Administrative Templates\System\Group Policy | 1 | Enabled |
| Turn off background refresh of Group Policy | device_vendor_msft_policy_config_admx_grouppolicy_disablebackgroundpolicy | Administrative Templates\System\Group Policy | 0 | Disabled |
| Turn off downloading of print drivers over HTTP | device_vendor_msft_policy_config_connectivity_disabledownloadingofprintdriversoverhttp | Administrative Templates\System\Internet Communication Management\Internet Communication settings | 1 | Enabled |
| Turn off Internet download for Web publishing and online ordering wizards | device_vendor_msft_policy_config_connectivity_disableinternetdownloadforwebpublishingandonlineorderingwizards | Administrative Templates\System\Internet Communication Management\Internet Communication settings | 1 | Enabled |
| Block user from showing account details on sign-in | device_vendor_msft_policy_config_admx_logon_blockuserfromshowingaccountdetailsonsignin | Administrative Templates\System\Logon | 1 | Enabled |
| Do not display network selection UI | device_vendor_msft_policy_config_windowslogon_dontdisplaynetworkselectionui | Administrative Templates\System\Logon | 1 | Enabled |
| Do not enumerate connected users on domain-joined computers | device_vendor_msft_policy_config_admx_logon_dontenumerateconnectedusers | Administrative Templates\System\Logon | 1 | Enabled |
| Enumerate local users on domain-joined computers | device_vendor_msft_policy_config_windowslogon_enumeratelocalusersondomainjoinedcomputers | Administrative Templates\System\Logon | 0 | Disabled |
| Turn off app notifications on the lock screen | device_vendor_msft_policy_config_windowslogon_disablelockscreenappnotifications | Administrative Templates\System\Logon | 1 | Enabled |
| Turn off picture password sign-in | device_vendor_msft_policy_config_credentialproviders_blockpicturepassword | Administrative Templates\System\Logon | 1 | Enabled |
| Allow network connectivity during connected-standby (on battery) | device_vendor_msft_policy_config_admx_power_dcconnectivityinstandby_2 | Administrative Templates\System\Power Management\Sleep Settings | 0 | Disabled |
| Allow network connectivity during connected-standby (plugged in) | device_vendor_msft_policy_config_admx_power_acconnectivityinstandby_2 | Administrative Templates\System\Power Management\Sleep Settings | 0 | Disabled |
| Require a password when a computer wakes (on battery) | device_vendor_msft_policy_config_power_requirepasswordwhencomputerwakesonbattery | Administrative Templates\System\Power Management\Sleep Settings | 1 | Enabled |
| Require a password when a computer wakes (plugged in) | device_vendor_msft_policy_config_power_requirepasswordwhencomputerwakespluggedin | Administrative Templates\System\Power Management\Sleep Settings | 1 | Enabled |
| Configure Offer Remote Assistance | device_vendor_msft_policy_config_remoteassistance_unsolicitedremoteassistance | Administrative Templates\System\Remote Assistance | 0 | Disabled |
| Configure Solicited Remote Assistance | device_vendor_msft_policy_config_remoteassistance_solicitedremoteassistance | Administrative Templates\System\Remote Assistance | 0 | Disabled |
| Enable RPC Endpoint Mapper Client Authentication | device_vendor_msft_policy_config_remoteprocedurecall_rpcendpointmapperclientauthentication | Administrative Templates\System\Remote Procedure Call | 1 | Enabled |
| Enable Windows NTP Client | device_vendor_msft_policy_config_admx_w32time_w32time_policy_enable_ntpclient | Administrative Templates\System\Windows Time Service\Time Providers | 1 | Enabled |
| Enable Windows NTP Server | device_vendor_msft_policy_config_admx_w32time_w32time_policy_enable_ntpserver | Administrative Templates\System\Windows Time Service\Time Providers | 0 | Disabled |
| Do not preserve zone information in file attachments (User) | user_vendor_msft_policy_config_attachmentmanager_donotpreservezoneinformation | Administrative Templates\Windows Components\Attachment Manager | 0 | Disabled |
| Notify antivirus programs when opening attachments (User) | user_vendor_msft_policy_config_attachmentmanager_notifyantivirusprograms | Administrative Templates\Windows Components\Attachment Manager | 1 | Enabled |
| Do not display the password reveal button | device_vendor_msft_policy_config_credentialsui_disablepasswordreveal | Administrative Templates\Windows Components\Credential User Interface | 1 | Enabled |
| Enumerate administrator accounts on elevation | device_vendor_msft_policy_config_credentialsui_enumerateadministrators | Administrative Templates\Windows Components\Credential User Interface | 0 | Disabled |
| Prevent the use of security questions for local accounts | device_vendor_msft_policy_config_admx_credui_nolocalpasswordresetquestions | Administrative Templates\Windows Components\Credential User Interface | 1 | Enabled |
| Control Event Log behavior when the log file reaches its maximum size | device_vendor_msft_policy_config_eventlogservice_controleventlogbehavior | Administrative Templates\Windows Components\Event Log Service\Application | 0 | Disabled |
| Specify the maximum log file size (KB) | device_vendor_msft_policy_config_eventlogservice_specifymaximumfilesizeapplicationlog | Administrative Templates\Windows Components\Event Log Service\Application | 1 | Enabled |
| Control Event Log behavior when the log file reaches its maximum size | device_vendor_msft_policy_config_admx_eventlog_channel_log_retention_2 | Administrative Templates\Windows Components\Event Log Service\Security | 0 | Disabled |
| Specify the maximum log file size (KB) | device_vendor_msft_policy_config_eventlogservice_specifymaximumfilesizesecuritylog | Administrative Templates\Windows Components\Event Log Service\Security | 1 | Enabled |
| Control Event Log behavior when the log file reaches its maximum size | device_vendor_msft_policy_config_admx_eventlog_channel_log_retention_3 | Administrative Templates\Windows Components\Event Log Service\Setup | 0 | Disabled |
| Specify the maximum log file size (KB) | device_vendor_msft_policy_config_admx_eventlog_channel_logmaxsize_3 | Administrative Templates\Windows Components\Event Log Service\Setup | 1 | Enabled |
| Control Event Log behavior when the log file reaches its maximum size | device_vendor_msft_policy_config_admx_eventlog_channel_log_retention_4 | Administrative Templates\Windows Components\Event Log Service\System | 0 | Disabled |
| Specify the maximum log file size (KB) | device_vendor_msft_policy_config_eventlogservice_specifymaximumfilesizesystemlog | Administrative Templates\Windows Components\Event Log Service\System | 1 | Enabled |
| Configure Windows Defender SmartScreen | device_vendor_msft_policy_config_admx_windowsexplorer_enablesmartscreen | Administrative Templates\Windows Components\File Explorer | 1 | Enabled |
| Turn off Data Execution Prevention for Explorer | device_vendor_msft_policy_config_fileexplorer_turnoffdataexecutionpreventionforexplorer | Administrative Templates\Windows Components\File Explorer | 0 | Disabled |
| Turn off heap termination on corruption | device_vendor_msft_policy_config_fileexplorer_turnoffheapterminationoncorruption | Administrative Templates\Windows Components\File Explorer | 0 | Disabled |
| Turn off shell protocol protected mode | device_vendor_msft_policy_config_admx_windowsexplorer_shellprotocolprotectedmodetitle_2 | Administrative Templates\Windows Components\File Explorer | 0 | Disabled |
| Prevent the computer from joining a homegroup | device_vendor_msft_policy_config_admx_sharing_disablehomegroup | Administrative Templates\Windows Components\HomeGroup | 1 | Enabled |
| Configure local setting override for reporting to Microsoft MAPS | device_vendor_msft_policy_config_admx_microsoftdefenderantivirus_spynet_localsettingoverridespynetreporting | Administrative Templates\ Windows Components\ Microsoft Defender Antivirus\MAPS | 0 | Disabled |
| Turn off Microsoft Defender Antivirus | device_vendor_msft_policy_config_admx_microsoftdefenderantivirus_disableantispywaredefender | Administrative Templates\ Windows Components\ Microsoft Defender Antivirus | 0 | Disabled |
| Prevent users from sharing files within their profile. (User) | user_vendor_msft_policy_config_admx_sharing_noinplacesharing | Administrative Templates\Windows Components\Network Sharing | 1 | Enabled |
| Do not allow passwords to be saved | device_vendor_msft_policy_config_remotedesktopservices_donotallowpasswordsaving | Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client | 1 | Enabled |
| Do not allow drive redirection | device_vendor_msft_policy_config_remotedesktopservices_donotallowdriveredirection | Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Device and Resource Redirection | 1 | Enabled |
| Always prompt for password upon connection | device_vendor_msft_policy_config_remotedesktopservices_promptforpassworduponconnection | Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security | 0 | Disabled |
| Require secure RPC communication | device_vendor_msft_policy_config_remotedesktopservices_requiresecurerpccommunication | Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security | 0 | Disabled |
| Require use of specific security layer for remote (RDP) connections | device_vendor_msft_policy_config_admx_terminalserver_ts_security_layer_policy | Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security | 0 | Disabled |
| Require user authentication for remote connections by using Network Level Authentication | device_vendor_msft_policy_config_admx_terminalserver_ts_user_authentication_policy | Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security | 0 | Disabled |
| Set client connection encryption level | device_vendor_msft_policy_config_remotedesktopservices_clientconnectionencryptionlevel | Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security | 0 | Disabled |
| Do not delete temp folders upon exit | device_vendor_msft_policy_config_admx_terminalserver_ts_temp_delete | Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Temporary folders | 0 | Disabled |
| Prevent downloading of enclosures | device_vendor_msft_policy_config_internetexplorer_disableenclosuredownloading | Administrative Templates\Windows Components\RSS Feeds | 1 | Enabled |
| Turn off the offer to update to the latest version of Windows | device_vendor_msft_policy_config_admx_windowsstore_disableosupgrade_2 | Administrative Templates\Windows Components\Store | 1 | Enabled |
| Sign-in and lock last interactive user automatically after a restart | device_vendor_msft_policy_config_windowslogon_allowautomaticrestartsignon | Administrative Templates\Windows Components\Windows Logon Options | 0 | Disabled |
| Turn on PowerShell Script Block Logging | device_vendor_msft_policy_config_windowspowershell_turnonpowershellscriptblocklogging | Administrative Templates\Windows Components\Windows PowerShell | 1 | Enabled |
| Turn on PowerShell Transcription | device_vendor_msft_policy_config_admx_powershellexecutionpolicy_enabletranscripting | Administrative Templates\Windows Components\Windows PowerShell | 1 | Enabled |
| Allow Basic authentication | device_vendor_msft_policy_config_remotemanagement_allowbasicauthentication_client | Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client | 0 | Disabled |
| Allow unencrypted traffic | device_vendor_msft_policy_config_remotemanagement_allowunencryptedtraffic_client | Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client | 0 | Disabled |
| Disallow Digest authentication | device_vendor_msft_policy_config_remotemanagement_disallowdigestauthentication | Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Client | 1 | Enabled |
| Allow Basic authentication | device_vendor_msft_policy_config_remotemanagement_allowbasicauthentication_service | Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service | 0 | Disabled |
| Allow unencrypted traffic | device_vendor_msft_policy_config_remotemanagement_allowunencryptedtraffic_service | Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service | 0 | Disabled |
| Disallow WinRM from storing RunAs credentials | device_vendor_msft_policy_config_remotemanagement_disallowstoringofrunascredentials | Administrative Templates\Windows Components\Windows Remote Management (WinRM)\WinRM Service | 1 | Enabled |
CIS Auditing
This covers section 5 of the CIS L1 standards.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 12/17/2024 21:05:47 | This covers section 5 of the CIS L1 standards. | 12/17/2024 23:36:50 | CIS Auditing | windows10 | 0 | 25 | mdm | e02fee80-f1e1-4c80-b4c2-d3995f080941 | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Account Logon Audit Credential Validation | device_vendor_msft_policy_config_audit_accountlogon_auditcredentialvalidation | Auditing | 3 | Success+ Failure |
| Account Logon Logoff Audit Account Lockout | device_vendor_msft_policy_config_audit_accountlogonlogoff_auditaccountlockout | Auditing | 2 | Failure |
| Account Logon Logoff Audit Group Membership | device_vendor_msft_policy_config_audit_accountlogonlogoff_auditgroupmembership | Auditing | 1 | Success |
| Account Logon Logoff Audit Logoff | device_vendor_msft_policy_config_audit_accountlogonlogoff_auditlogoff | Auditing | 1 | Success |
| Account Logon Logoff Audit Logon | device_vendor_msft_policy_config_audit_accountlogonlogoff_auditlogon | Auditing | 3 | Success+ Failure |
| Account Management Audit Application Group Management | device_vendor_msft_policy_config_audit_accountmanagement_auditapplicationgroupmanagement | Auditing | 3 | Success+ Failure |
| Audit Authentication Policy Change | device_vendor_msft_policy_config_audit_policychange_auditauthenticationpolicychange | Auditing | 1 | Success |
| Audit Changes to Audit Policy | device_vendor_msft_policy_config_audit_policychange_auditpolicychange | Auditing | 1 | Success |
| Audit File Share Access | device_vendor_msft_policy_config_audit_objectaccess_auditfileshare | Auditing | 3 | Success+Failure |
| Audit Other Logon Logoff Events | device_vendor_msft_policy_config_audit_accountlogonlogoff_auditotherlogonlogoffevents | Auditing | 3 | Success+Failure |
| Audit Security Group Management | device_vendor_msft_policy_config_audit_accountmanagement_auditsecuritygroupmanagement | Auditing | 1 | Success |
| Audit Security System Extension | device_vendor_msft_policy_config_audit_system_auditsecuritysystemextension | Auditing | 1 | Success |
| Audit Special Logon | device_vendor_msft_policy_config_audit_accountlogonlogoff_auditspeciallogon | Auditing | 1 | Success |
| Audit User Account Management | device_vendor_msft_policy_config_audit_accountmanagement_audituseraccountmanagement | Auditing | 3 | Success+Failure |
| Detailed Tracking Audit PNP Activity | device_vendor_msft_policy_config_audit_detailedtracking_auditpnpactivity | Auditing | 1 | Success |
| Detailed Tracking Audit Process Creation | device_vendor_msft_policy_config_audit_detailedtracking_auditprocesscreation | Auditing | 1 | Success |
| Object Access Audit Detailed File Share | device_vendor_msft_policy_config_audit_objectaccess_auditdetailedfileshare | Auditing | 2 | Failure |
| Object Access Audit Other Object Access Events | device_vendor_msft_policy_config_audit_objectaccess_auditotherobjectaccessevents | Auditing | 3 | Success+ Failure |
| Object Access Audit Removable Storage | device_vendor_msft_policy_config_audit_objectaccess_auditremovablestorage | Auditing | 3 | Success+ Failure |
| Policy Change Audit MPSSVC Rule Level Policy Change | device_vendor_msft_policy_config_audit_policychange_auditmpssvcrulelevelpolicychange | Auditing | 3 | Success+ Failure |
| Policy Change Audit Other Policy Change Events | device_vendor_msft_policy_config_audit_policychange_auditotherpolicychangeevents | Auditing | 2 | Failure |
| System Audit I Psec Driver | device_vendor_msft_policy_config_audit_system_auditipsecdriver | Auditing | 3 | Success+ Failure |
| System Audit Other System Events | device_vendor_msft_policy_config_audit_system_auditothersystemevents | Auditing | 3 | Success+ Failure |
| System Audit Security State Change | device_vendor_msft_policy_config_audit_system_auditsecuritystatechange | Auditing | 1 | Success |
| System Audit System Integrity | device_vendor_msft_policy_config_audit_system_auditsystemintegrity | Auditing | 3 | Success+ Failure |
CIS Defender
CSI L1 section 21 covering Defender. Includes attack surface reduction rules.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 12/18/2024 19:32:25 | CSI L1 section 21 covering Defender. Includes attack surface reduction rules. | 12/18/2024 19:32:25 | CIS Defender | windows10 | 0 | 9 | mdm | 3b244e79-f61b-46b5-8d39-fdc03e4fdb83 | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Allow Behavior Monitoring | device_vendor_msft_policy_config_defender_allowbehaviormonitoring | Defender | 1 | Allowed. Turns on real-time behavior monitoring. |
| Allow Email Scanning | device_vendor_msft_policy_config_defender_allowemailscanning | Defender | 1 | Allowed. Turns on email scanning. |
| Allow Full Scan Removable Drive Scanning | device_vendor_msft_policy_config_defender_allowfullscanremovabledrivescanning | Defender | 1 | Allowed. Scans removable drives. |
| Allow Realtime Monitoring | device_vendor_msft_policy_config_defender_allowrealtimemonitoring | Defender | 1 | Allowed. Turns on and runs the real-time monitoring service. |
| Allow scanning of all downloaded files and attachments | device_vendor_msft_policy_config_defender_allowioavprotection | Defender | 1 | Allowed. |
| Allow Script Scanning | device_vendor_msft_policy_config_defender_allowscriptscanning | Defender | 1 | Allowed. |
| Block abuse of exploited vulnerable signed drivers (Device) | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockabuseofexploitedvulnerablesigneddrivers | Defender | block | Block |
| Block Adobe Reader from creating child processes | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses | Defender | block | Block |
| Block all Office applications from creating child processes | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses | Defender | block | Block |
| Block credential stealing from the Windows local security authority subsystem | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem | Defender | block | Block |
| Block executable content from email client and webmail | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablecontentfromemailclientandwebmail | Defender | block | Block |
| Block execution of potentially obfuscated scripts | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts | Defender | block | Block |
| Block JavaScript or VBScript from launching downloaded executable content | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent | Defender | block | Block |
| Block Office applications from creating executable content | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfromcreatingexecutablecontent | Defender | block | Block |
| Block Office applications from injecting code into other processes | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfrominjectingcodeintootherprocesses | Defender | block | Block |
| Block Office communication application from creating child processes | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficecommunicationappfromcreatingchildprocesses | Defender | block | Block |
| Block persistence through WMI event subscription | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockpersistencethroughwmieventsubscription | Defender | block | Block |
| Block untrusted and unsigned processes that run from USB | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuntrustedunsignedprocessesthatrunfromusb | Defender | block | Block |
| Block Win32 API calls from Office macros | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros | Defender | block | Block |
| Enable Network Protection | device_vendor_msft_policy_config_defender_enablenetworkprotection | Defender | 1 | Enabled (block mode) |
| PUA Protection | device_vendor_msft_policy_config_defender_puaprotection | Defender | 1 | PUA Protection on. Detected items are blocked. They will show in history along with other threats. |
CIS Delivery Optimization
CIS L1 section 22 on Delivery Optimization.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 12/18/2024 20:04:54 | CIS L1 section 22 on Delivery Optimization. | 12/18/2024 20:04:54 | CIS Delivery Optimization | windows10 | 0 | 1 | mdm | 29c1349d-38d2-4dda-81e0-c9bff08c4cbb | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| DO Download Mode | device_vendor_msft_policy_config_deliveryoptimization_dodownloadmode | Delivery Optimization | 0 | HTTP only, no peering |
CIS Device Guard
CIS L1 containg information on section 22, Device Guard.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 12/18/2024 21:51:14 | CIS L1 containg information on section 22, Device Guard. | 02/27/2025 19:04:27 | CIS Device Guard | windows10 | 0 | 4 | mdm | f3a58c40-19be-44ea-9aa0-93cea6709b13 | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Configure System Guard Launch | device_vendor_msft_policy_config_deviceguard_configuresystemguardlaunch | Device Guard | 1 | Unmanaged Enables Secure Launch if supported by hardware |
| Credential Guard | device_vendor_msft_policy_config_deviceguard_lsacfgflags | Device Guard | 2 | (Enabled without lock) Turns on Credential Guard without UEFI lock. |
| Enable Virtualization Based Security | device_vendor_msft_policy_config_deviceguard_enablevirtualizationbasedsecurity | Device Guard | 1 | enable virtualization based security. |
| Require Platform Security Features | device_vendor_msft_policy_config_deviceguard_requireplatformsecurityfeatures | Device Guard | 1 | Turns on VBS with Secure Boot. |
CIS Device Lock
CIS L1 section 24 regarding device lock. Mostly involves local account password complexity requirements. Does not effect Entra ID.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 12/18/2024 22:56:59 | CIS L1 section 24 regarding device lock. Mostly involves local account password complexity requirements. Does not effect Entra ID. | 12/18/2024 22:56:59 | CIS Device Lock | windows10 | 0 | 2 | mdm | 19263b12-0099-478d-99a2-beb4f2dd8445 | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Device Password Enabled | device_vendor_msft_policy_config_devicelock_devicepasswordenabled | Device Lock | 0 | Enabled |
| Minimum Password Age | device_vendor_msft_policy_config_devicelock_minimumpasswordage | Device Lock | 1 |
CIS Experience
CIS L1 section 30 regarding experience.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 12/18/2024 23:07:59 | CIS L1 section 30 regarding experience. | 12/18/2024 23:07:59 | CIS Experience | windows10 | 0 | 4 | mdm | 21055f6a-4e20-4dab-8eed-0804f5a1b4cc | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Allow Cortana | device_vendor_msft_policy_config_experience_allowcortana | Experience | 0 | Block |
| Allow Spotlight Collection (User) | user_vendor_msft_policy_config_experience_allowspotlightcollection | Experience | 0 | |
| Disable Consumer Account State Content | device_vendor_msft_policy_config_experience_disableconsumeraccountstatecontent | Experience | 1 | Enabled. |
| Do Not Show Feedback Notifications | device_vendor_msft_policy_config_experience_donotshowfeedbacknotifications | Experience | 1 | Feedback notifications are disabled. |
CIS Firewall
CIS L1 section 35 containing information on Firewall.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 12/18/2024 23:57:47 | CIS L1 section 35 containing information on Firewall. | 01/10/2025 15:50:08 | CIS Firewall | windows10 | 0 | 3 | mdm | 62924d10-aa4e-48db-80aa-823f6a70c3b6 | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Enable Domain Network Firewall | vendor_msft_firewall_mdmstore_domainprofile_enablefirewall | Firewall | true | True |
| Enable Private Network Firewall | vendor_msft_firewall_mdmstore_privateprofile_enablefirewall | Firewall | true | True |
| Enable Public Network Firewall | vendor_msft_firewall_mdmstore_publicprofile_enablefirewall | Firewall | true | True |
CIS Lanman Workstation
CIS L1 section 42 containg information on Lanman Workstations
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 12/19/2024 16:00:28 | CIS L1 section 42 containg information on Lanman Workstations | 12/19/2024 16:00:28 | CIS Lanman Workstation | windows10 | 0 | 1 | mdm | d83fcbf9-ebd8-4e8f-ba06-0486e2e43fdf | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Enable Insecure Guest Logons | device_vendor_msft_policy_config_lanmanworkstation_enableinsecureguestlogons | Lanman Workstation | 0 | Disabled |
CIS Local Policies Security Options (Clients)
CIS local security policies specifically for end user clients, not including lab computers.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 02/24/2025 22:20:02 | CIS local security policies specifically for end user clients, not including lab computers. | 02/27/2025 16:33:29 | CIS Local Policies Security Options (Clients) | windows10 | 0 | 29 | mdm | 9366ec15-4e4d-4ad7-a2cf-9653d061b209 | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Accounts Enable Guest Account Status | device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableguestaccountstatus | Local Policies Security Options | 0 | Disable |
| Accounts Limit Local Account Use Of Blank Passwords To Console Logon Only | device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_limitlocalaccountuseofblankpasswordstoconsolelogononly | Local Policies Security Options | 1 | Enabled |
| Accounts Rename Administrator Account | device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_renameadministratoraccount | Local Policies Security Options | xen-overseer | |
| Accounts Rename Guest Account | device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_renameguestaccount | Local Policies Security Options | xen-default-user | |
| Interactive Logon Do Not Display Last Signed In | device_vendor_msft_policy_config_localpoliciessecurityoptions_interactivelogon_donotdisplaylastsignedin | Local Policies Security Options | 0 | Disabled (username will be shown) |
| Microsoft Network Client Digitally Sign Communications Always | device_vendor_msft_policy_config_localpoliciessecurityoptions_microsoftnetworkclient_digitallysigncommunicationsalways | Local Policies Security Options | 1 | Enable |
| Microsoft Network Client Digitally Sign Communications If Server Agrees | device_vendor_msft_policy_config_localpoliciessecurityoptions_microsoftnetworkclient_digitallysigncommunicationsifserveragrees | Local Policies Security Options | 1 | Enable |
| Microsoft Network Client Send Unencrypted Password To Third Party SMB Servers | device_vendor_msft_policy_config_localpoliciessecurityoptions_microsoftnetworkclient_sendunencryptedpasswordtothirdpartysmbservers | Local Policies Security Options | 0 | Disable |
| Microsoft Network Server Digitally Sign Communications Always | device_vendor_msft_policy_config_localpoliciessecurityoptions_microsoftnetworkserver_digitallysigncommunicationsalways | Local Policies Security Options | 1 | Enable |
| Microsoft Network Server Digitally Sign Communications If Client Agrees | device_vendor_msft_policy_config_localpoliciessecurityoptions_microsoftnetworkserver_digitallysigncommunicationsifclientagrees | Local Policies Security Options | 1 | Enable |
| Network Access Do Not Allow Anonymous Enumeration Of SAM Accounts | device_vendor_msft_policy_config_localpoliciessecurityoptions_networkaccess_donotallowanonymousenumerationofsamaccounts | Local Policies Security Options | 1 | Enabled |
| Network Access Do Not Allow Anonymous Enumeration Of Sam Accounts And Shares | device_vendor_msft_policy_config_localpoliciessecurityoptions_networkaccess_donotallowanonymousenumerationofsamaccountsandshares | Local Policies Security Options | 1 | Enabled |
| Network Access Restrict Anonymous Access To Named Pipes And Shares | device_vendor_msft_policy_config_localpoliciessecurityoptions_networkaccess_restrictanonymousaccesstonamedpipesandshares | Local Policies Security Options | 1 | Enable |
| Network Access Restrict Clients Allowed To Make Remote Calls To SAM | device_vendor_msft_policy_config_localpoliciessecurityoptions_networkaccess_restrictclientsallowedtomakeremotecallstosam | Local Policies Security Options | Administrators: Remote Access: Allow | |
| Network Security Allow Local System To Use Computer Identity For NTLM | device_vendor_msft_policy_config_localpoliciessecurityoptions_networksecurity_allowlocalsystemtousecomputeridentityforntlm | Local Policies Security Options | 1 | Allow |
| Network Security Allow PKU2U Authentication Requests | device_vendor_msft_policy_config_localpoliciessecurityoptions_networksecurity_allowpku2uauthenticationrequests | Local Policies Security Options | 1 | Allow |
| Network Security Do Not Store LAN Manager Hash Value On Next Password Change | device_vendor_msft_policy_config_localpoliciessecurityoptions_networksecurity_donotstorelanmanagerhashvalueonnextpasswordchange | Local Policies Security Options | 1 | Enable |
| Network Security LAN Manager Authentication Level | device_vendor_msft_policy_config_localpoliciessecurityoptions_networksecurity_lanmanagerauthenticationlevel | Local Policies Security Options | 5 | Send LM and NTLMv2 responses only. Refuse LM and NTLM |
| Network Security Minimum Session Security For NTLMSSP Based Clients | device_vendor_msft_policy_config_localpoliciessecurityoptions_networksecurity_minimumsessionsecurityforntlmsspbasedclients | Local Policies Security Options | 537395200 | Require NTLM and 128-bit encryption |
| Network Security Minimum Session Security For NTLMSSP Based Servers | device_vendor_msft_policy_config_localpoliciessecurityoptions_networksecurity_minimumsessionsecurityforntlmsspbasedservers | Local Policies Security Options | 537395200 | Require NTLM and 128-bit encryption |
| Network Security Restrict NTLM Audit Incoming NTLM Traffic | device_vendor_msft_policy_config_localpoliciessecurityoptions_networksecurity_restrictntlm_auditincomingntlmtraffic | Local Policies Security Options | 2 | Enable auditing for all accounts |
| User Account Control Behavior Of The Elevation Prompt For Administrators | device_vendor_msft_policy_config_localpoliciessecurityoptions_useraccountcontrol_behavioroftheelevationpromptforadministrators | Local Policies Security Options | 2 | Prompt for consent on the secure desktop |
| User Account Control Behavior Of The Elevation Prompt For Standard Users | device_vendor_msft_policy_config_localpoliciessecurityoptions_useraccountcontrol_behavioroftheelevationpromptforstandardusers | Local Policies Security Options | 0 | Automatically deny elevation requests |
| User Account Control Detect Application Installations And Prompt For Elevation | device_vendor_msft_policy_config_localpoliciessecurityoptions_useraccountcontrol_detectapplicationinstallationsandpromptforelevation | Local Policies Security Options | 1 | Enable |
| User Account Control Only Elevate UI Access Applications That Are Installed In Secure Locations | device_vendor_msft_policy_config_localpoliciessecurityoptions_useraccountcontrol_onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations | Local Policies Security Options | 1 | Enabled: Application runs with UIAccess integrity only if it resides in secure location. |
| User Account Control Run All Administrators In Admin Approval Mode | device_vendor_msft_policy_config_localpoliciessecurityoptions_useraccountcontrol_runalladministratorsinadminapprovalmode | Local Policies Security Options | 1 | Enabled |
| User Account Control Switch To The Secure Desktop When Prompting For Elevation | device_vendor_msft_policy_config_localpoliciessecurityoptions_useraccountcontrol_switchtothesecuredesktopwhenpromptingforelevation | Local Policies Security Options | 1 | Enabled |
| User Account Control Use Admin Approval Mode | device_vendor_msft_policy_config_localpoliciessecurityoptions_useraccountcontrol_useadminapprovalmode | Local Policies Security Options | 1 | Enable |
| User Account Control Virtualize File And Registry Write Failures To Per User Locations | device_vendor_msft_policy_config_localpoliciessecurityoptions_useraccountcontrol_virtualizefileandregistrywritefailurestoperuserlocations | Local Policies Security Options | 1 | Enabled |
CIS Local Policies Security Options (Lab PC’s)
CIS L1 section 45 containing information on local policies security options. This is specific to LAB computers as some settings are slightly different.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 12/19/2024 18:30:57 | CIS L1 section 45 containing information on local policies security options. This is specific to LAB computers as some settings are slightly different. | 02/27/2025 16:32:37 | CIS Local Policies Security Options (Lab PC’s) | windows10 | 0 | 30 | mdm | 22f5ecff-e508-4000-9f18-dc30f91aac33 | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Accounts Enable Guest Account Status | device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_enableguestaccountstatus | Local Policies Security Options | 0 | Disable |
| Accounts Limit Local Account Use Of Blank Passwords To Console Logon Only | device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_limitlocalaccountuseofblankpasswordstoconsolelogononly | Local Policies Security Options | 1 | Enabled |
| Accounts Rename Administrator Account | device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_renameadministratoraccount | Local Policies Security Options | xen-overseer | |
| Accounts Rename Guest Account | device_vendor_msft_policy_config_localpoliciessecurityoptions_accounts_renameguestaccount | Local Policies Security Options | xen-default-user | |
| Interactive Logon Do Not Display Last Signed In | device_vendor_msft_policy_config_localpoliciessecurityoptions_interactivelogon_donotdisplaylastsignedin | Local Policies Security Options | 0 | Disabled (username will be shown) |
| Interactive Logon Smart Card Removal Behavior | device_vendor_msft_policy_config_localpoliciessecurityoptions_interactivelogon_smartcardremovalbehavior | Local Policies Security Options | 1 | Lock Workstation |
| Microsoft Network Client Digitally Sign Communications Always | device_vendor_msft_policy_config_localpoliciessecurityoptions_microsoftnetworkclient_digitallysigncommunicationsalways | Local Policies Security Options | 1 | Enable |
| Microsoft Network Client Digitally Sign Communications If Server Agrees | device_vendor_msft_policy_config_localpoliciessecurityoptions_microsoftnetworkclient_digitallysigncommunicationsifserveragrees | Local Policies Security Options | 1 | Enable |
| Microsoft Network Client Send Unencrypted Password To Third Party SMB Servers | device_vendor_msft_policy_config_localpoliciessecurityoptions_microsoftnetworkclient_sendunencryptedpasswordtothirdpartysmbservers | Local Policies Security Options | 0 | Disable |
| Microsoft Network Server Digitally Sign Communications Always | device_vendor_msft_policy_config_localpoliciessecurityoptions_microsoftnetworkserver_digitallysigncommunicationsalways | Local Policies Security Options | 1 | Enable |
| Microsoft Network Server Digitally Sign Communications If Client Agrees | device_vendor_msft_policy_config_localpoliciessecurityoptions_microsoftnetworkserver_digitallysigncommunicationsifclientagrees | Local Policies Security Options | 1 | Enable |
| Network Access Do Not Allow Anonymous Enumeration Of SAM Accounts | device_vendor_msft_policy_config_localpoliciessecurityoptions_networkaccess_donotallowanonymousenumerationofsamaccounts | Local Policies Security Options | 1 | Enabled |
| Network Access Do Not Allow Anonymous Enumeration Of Sam Accounts And Shares | device_vendor_msft_policy_config_localpoliciessecurityoptions_networkaccess_donotallowanonymousenumerationofsamaccountsandshares | Local Policies Security Options | 1 | Enabled |
| Network Access Restrict Anonymous Access To Named Pipes And Shares | device_vendor_msft_policy_config_localpoliciessecurityoptions_networkaccess_restrictanonymousaccesstonamedpipesandshares | Local Policies Security Options | 1 | Enable |
| Network Access Restrict Clients Allowed To Make Remote Calls To SAM | device_vendor_msft_policy_config_localpoliciessecurityoptions_networkaccess_restrictclientsallowedtomakeremotecallstosam | Local Policies Security Options | Administrators: Remote Access: Allow. | |
| Network Security Allow Local System To Use Computer Identity For NTLM | device_vendor_msft_policy_config_localpoliciessecurityoptions_networksecurity_allowlocalsystemtousecomputeridentityforntlm | Local Policies Security Options | 1 | Allow |
| Network Security Allow PKU2U Authentication Requests | device_vendor_msft_policy_config_localpoliciessecurityoptions_networksecurity_allowpku2uauthenticationrequests | Local Policies Security Options | 1 | Allow |
| Network Security Do Not Store LAN Manager Hash Value On Next Password Change | device_vendor_msft_policy_config_localpoliciessecurityoptions_networksecurity_donotstorelanmanagerhashvalueonnextpasswordchange | Local Policies Security Options | 1 | Enable |
| Network Security LAN Manager Authentication Level | device_vendor_msft_policy_config_localpoliciessecurityoptions_networksecurity_lanmanagerauthenticationlevel | Local Policies Security Options | 5 | Send LM and NTLMv2 responses only. Refuse LM and NTLM |
| Network Security Minimum Session Security For NTLMSSP Based Clients | device_vendor_msft_policy_config_localpoliciessecurityoptions_networksecurity_minimumsessionsecurityforntlmsspbasedclients | Local Policies Security Options | 537395200 | Require NTLM and 128-bit encryption |
| Network Security Minimum Session Security For NTLMSSP Based Servers | device_vendor_msft_policy_config_localpoliciessecurityoptions_networksecurity_minimumsessionsecurityforntlmsspbasedservers | Local Policies Security Options | 537395200 | Require NTLM and 128-bit encryption |
| Network Security Restrict NTLM Audit Incoming NTLM Traffic | device_vendor_msft_policy_config_localpoliciessecurityoptions_networksecurity_restrictntlm_auditincomingntlmtraffic | Local Policies Security Options | 2 | Enable auditing for all accounts |
| User Account Control Behavior Of The Elevation Prompt For Administrators | device_vendor_msft_policy_config_localpoliciessecurityoptions_useraccountcontrol_behavioroftheelevationpromptforadministrators | Local Policies Security Options | 2 | Prompt for consent on the secure desktop |
| User Account Control Behavior Of The Elevation Prompt For Standard Users | device_vendor_msft_policy_config_localpoliciessecurityoptions_useraccountcontrol_behavioroftheelevationpromptforstandardusers | Local Policies Security Options | 3 | Prompt for credentials |
| User Account Control Detect Application Installations And Prompt For Elevation | device_vendor_msft_policy_config_localpoliciessecurityoptions_useraccountcontrol_detectapplicationinstallationsandpromptforelevation | Local Policies Security Options | 1 | Enable |
| User Account Control Only Elevate UI Access Applications That Are Installed In Secure Locations | device_vendor_msft_policy_config_localpoliciessecurityoptions_useraccountcontrol_onlyelevateuiaccessapplicationsthatareinstalledinsecurelocations | Local Policies Security Options | 1 | Enabled: Application runs with UIAccess integrity only if it resides in secure location. |
| User Account Control Run All Administrators In Admin Approval Mode | device_vendor_msft_policy_config_localpoliciessecurityoptions_useraccountcontrol_runalladministratorsinadminapprovalmode | Local Policies Security Options | 1 | Enabled |
| User Account Control Switch To The Secure Desktop When Prompting For Elevation | device_vendor_msft_policy_config_localpoliciessecurityoptions_useraccountcontrol_switchtothesecuredesktopwhenpromptingforelevation | Local Policies Security Options | 1 | Enabled |
| User Account Control Use Admin Approval Mode | device_vendor_msft_policy_config_localpoliciessecurityoptions_useraccountcontrol_useadminapprovalmode | Local Policies Security Options | 1 | Enable |
| User Account Control Virtualize File And Registry Write Failures To Per User Locations | device_vendor_msft_policy_config_localpoliciessecurityoptions_useraccountcontrol_virtualizefileandregistrywritefailurestoperuserlocations | Local Policies Security Options | 1 | Enabled |
CIS Microsoft Store
CIS L1 section 48 regarding Microsoft App Store.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 12/19/2024 20:27:06 | CIS L1 section 48 regarding Microsoft App Store. | 12/19/2024 20:27:06 | CIS Microsoft Store | windows10 | 0 | 6 | mdm | d8867f05-8ffc-426e-abe4-4ff35c130d65 | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Allow apps from the Microsoft app store to auto update | device_vendor_msft_policy_config_applicationmanagement_allowappstoreautoupdate | Microsoft App Store | 1 | Allowed. |
| Allow Game DVR | device_vendor_msft_policy_config_applicationmanagement_allowgamedvr | Microsoft App Store | 0 | Block |
| MSI Allow User Control Over Install | device_vendor_msft_policy_config_applicationmanagement_msiallowusercontroloverinstall | Microsoft App Store | 0 | Disabled |
| MSI Always Install With Elevated Privileges | device_vendor_msft_policy_config_applicationmanagement_msialwaysinstallwithelevatedprivileges | Microsoft App Store | 0 | Disabled |
| MSI Always Install With Elevated Privileges (User) | user_vendor_msft_policy_config_applicationmanagement_msialwaysinstallwithelevatedprivileges | Microsoft App Store | 0 | Disabled |
| Require Private Store Only | device_vendor_msft_policy_config_applicationmanagement_requireprivatestoreonly | Microsoft App Store | 1 | Only Private store is enabled. |
CIS Privacy
CIS L1 section 58 on privacy.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 12/19/2024 20:30:21 | CIS L1 section 58 on privacy. | 12/19/2024 20:30:21 | CIS Privacy | windows10 | 0 | 2 | mdm | aadf459e-bc60-4471-bc72-a771efdb2d95 | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Allow Input Personalization | device_vendor_msft_policy_config_privacy_allowinputpersonalization | Privacy | 0 | Block |
| Let Apps Activate With Voice Above Lock | device_vendor_msft_policy_config_privacy_letappsactivatewithvoiceabovelock | Privacy | 2 | Force deny. Windows apps cannot be activated by voice while the screen is locked, and users cannot change it. |
CIS Search
CIS L1 section 60 on search.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 12/19/2024 20:37:28 | CIS L1 section 60 on search. | 12/19/2024 20:37:28 | CIS Search | windows10 | 0 | 1 | mdm | 3db39a00-f381-4b8d-97b0-8281cba05dec | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Allow Search To Use Location | device_vendor_msft_policy_config_search_allowsearchtouselocation | Search | 0 | Block |
CIS Smart Screen
CIS L1 section 64 containing information on smart screen.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 12/19/2024 20:47:38 | CIS L1 section 64 containing information on smart screen. | 12/19/2024 20:47:38 | CIS Smart Screen | windows10 | 0 | 4 | mdm | a34e4a51-e446-48ab-a453-5cdddea1776d | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Notify Malicious | device_vendor_msft_policy_config_webthreatdefense_notifymalicious | Smart Screen\ Enhanced Phishing Protection | 1 | Enabled |
| Notify Password Reuse | device_vendor_msft_policy_config_webthreatdefense_notifypasswordreuse | Smart Screen\ Enhanced Phishing Protection | 1 | Enabled |
| Notify Unsafe App | device_vendor_msft_policy_config_webthreatdefense_notifyunsafeapp | Smart Screen\ Enhanced Phishing Protection | 1 | Enabled |
| Service Enabled | device_vendor_msft_policy_config_webthreatdefense_serviceenabled | Smart Screen\ Enhanced Phishing Protection | 1 | Enabled |
CIS System
CIS L1 section 67 on system.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 12/19/2024 21:00:29 | CIS L1 section 67 on system. | 12/19/2024 21:00:29 | CIS System | windows10 | 0 | 4 | mdm | c44684fc-ee52-4f9d-9285-e6b8df8d38d7 | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Allow Telemetry | device_vendor_msft_policy_config_system_allowtelemetry | System | 1 | Basic |
| Enable One Settings Auditing | device_vendor_msft_policy_config_system_enableonesettingsauditing | System | 1 | Enabled. |
| Limit Diagnostic Log Collection | device_vendor_msft_policy_config_system_limitdiagnosticlogcollection | System | 1 | Enabled. |
| Limit Dump Collection | device_vendor_msft_policy_config_system_limitdumpcollection | System | 1 | Enabled. |
CIS System Services (Xbox)
CIS L1 Section 69 on system services. These settings relate to xbox game specifically. Other system services are configured via a series of custom oma-uri’s.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 01/08/2025 21:23:46 | CIS L1 Section 69 on system services. These settings relate to xbox game specifically. Other system services are configured via a series of custom oma-uri’s. | 01/08/2025 21:23:46 | CIS System Services (Xbox) | windows10 | 0 | 4 | mdm | 63dadaee-6c5f-435b-931b-aeb012852b2d | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Configure Xbox Accessory Management Service Startup Mode | device_vendor_msft_policy_config_systemservices_configurexboxaccessorymanagementservicestartupmode | System Services | 4 | Disabled |
| Configure Xbox Live Auth Manager Service Startup Mode | device_vendor_msft_policy_config_systemservices_configurexboxliveauthmanagerservicestartupmode | System Services | 4 | Disabled |
| Configure Xbox Live Game Save Service Startup Mode | device_vendor_msft_policy_config_systemservices_configurexboxlivegamesaveservicestartupmode | System Services | 4 | Disabled |
| Configure Xbox Live Networking Service Startup Mode | device_vendor_msft_policy_config_systemservices_configurexboxlivenetworkingservicestartupmode | System Services | 4 | Disabled |
CIS User Rights
CIS section 74 on user rights.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 12/20/2024 18:19:59 | CIS section 74 on user rights. | 12/20/2024 18:19:59 | CIS User Rights | windows10 | 0 | 29 | mdm | cf754b1e-ab15-4844-8d41-668e3926b859 | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Access Credential Manager As Trusted Caller | device_vendor_msft_policy_config_userrights_accesscredentialmanagerastrustedcaller | User Rights | No One | |
| Access From Network | device_vendor_msft_policy_config_userrights_accessfromnetwork | User Rights | System.Object[] | |
| Act As Part Of The Operating System | device_vendor_msft_policy_config_userrights_actaspartoftheoperatingsystem | User Rights | No One | |
| Allow Local Log On | device_vendor_msft_policy_config_userrights_allowlocallogon | User Rights | System.Object[] | |
| Backup Files And Directories | device_vendor_msft_policy_config_userrights_backupfilesanddirectories | User Rights | Administrators | |
| Change System Time | device_vendor_msft_policy_config_userrights_changesystemtime | User Rights | System.Object[] | |
| Create Global Objects | device_vendor_msft_policy_config_userrights_createglobalobjects | User Rights | System.Object[] | |
| Create Page File | device_vendor_msft_policy_config_userrights_createpagefile | User Rights | Administrators | |
| Create Permanent Shared Objects | device_vendor_msft_policy_config_userrights_createpermanentsharedobjects | User Rights | No One | |
| Create Symbolic Links | device_vendor_msft_policy_config_userrights_createsymboliclinks | User Rights | System.Object[] | |
| Create Token | device_vendor_msft_policy_config_userrights_createtoken | User Rights | No One | |
| Debug Programs | device_vendor_msft_policy_config_userrights_debugprograms | User Rights | Administrators | |
| Deny Access From Network | device_vendor_msft_policy_config_userrights_denyaccessfromnetwork | User Rights | System.Object[] | |
| Deny Local Log On | device_vendor_msft_policy_config_userrights_denylocallogon | User Rights | Guests | |
| Deny Remote Desktop Services Log On | device_vendor_msft_policy_config_userrights_denyremotedesktopserviceslogon | User Rights | System.Object[] | |
| Enable Delegation | device_vendor_msft_policy_config_userrights_enabledelegation | User Rights | No One | |
| Generate Security Audits | device_vendor_msft_policy_config_userrights_generatesecurityaudits | User Rights | System.Object[] | |
| Impersonate Client | device_vendor_msft_policy_config_userrights_impersonateclient | User Rights | System.Object[] | |
| Increase Scheduling Priority | device_vendor_msft_policy_config_userrights_increaseschedulingpriority | User Rights | System.Object[] | |
| Load Unload Device Drivers | device_vendor_msft_policy_config_userrights_loadunloaddevicedrivers | User Rights | Administrators | |
| Lock Memory | device_vendor_msft_policy_config_userrights_lockmemory | User Rights | No One | |
| Manage Auditing And Security Log | device_vendor_msft_policy_config_userrights_manageauditingandsecuritylog | User Rights | Administrators | |
| Manage Volume | device_vendor_msft_policy_config_userrights_managevolume | User Rights | Administrators | |
| Modify Firmware Environment | device_vendor_msft_policy_config_userrights_modifyfirmwareenvironment | User Rights | Administrators | |
| Modify Object Label | device_vendor_msft_policy_config_userrights_modifyobjectlabel | User Rights | No One | |
| Profile Single Process | device_vendor_msft_policy_config_userrights_profilesingleprocess | User Rights | Administrators | |
| Remote Shutdown | device_vendor_msft_policy_config_userrights_remoteshutdown | User Rights | Administrators | |
| Restore Files And Directories | device_vendor_msft_policy_config_userrights_restorefilesanddirectories | User Rights | Administrators | |
| Take Ownership | device_vendor_msft_policy_config_userrights_takeownership | User Rights | Administrators |
CIS Virtualization Based Technology
Section 75 on Virtualization based technology.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 01/07/2025 20:15:27 | Section 75 on Virtualization based technology. | 01/07/2025 20:15:27 | CIS Virtualization Based Technology | windows10 | 0 | 2 | mdm | 1fd09e7c-9322-4c95-b218-eb5ae449cdb1 | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Hypervisor Enforced Code Integrity | device_vendor_msft_policy_config_virtualizationbasedtechnology_hypervisorenforcedcodeintegrity | Virtualization Based Technology | 1 | (Enabled with UEFI lock) Turns on Hypervisor-Protected Code Integrity with UEFI lock. |
| Require UEFI Memory Attributes Table | device_vendor_msft_policy_config_virtualizationbasedtechnology_requireuefimemoryattributestable | Virtualization Based Technology | 1 | Require UEFI Memory Attributes Table |
CIS Widgets
CIS L1 section 77 on widgets
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 01/07/2025 20:18:58 | CIS L1 section 77 on widgets | 01/07/2025 20:18:58 | CIS Widgets | windows10 | 0 | 1 | mdm | 8dfe3c8c-0f75-43f9-a4df-1e64bc8c7114 | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| IT Testing | 1 | Static | - | - | direct | Exclude |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Allow widgets | device_vendor_msft_policy_config_newsandinterests_allownewsandinterests | Widgets | 0 | Not allowed. |
CIS Windows Ink Workspace
CIS L1 section 80 on windows ink workspace
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 01/07/2025 20:28:38 | CIS L1 section 80 on windows ink workspace | 01/07/2025 20:28:38 | CIS Windows Ink Workspace | windows10 | 0 | 1 | mdm | 48c5df00-3fe3-4501-9942-0af04279da2e | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Allow Windows Ink Workspace | device_vendor_msft_policy_config_windowsinkworkspace_allowwindowsinkworkspace | Windows Ink Workspace | 1 | ink workspace is enabled (feature is turned on), but the user cannot access it above the lock screen. |
CIS Windows Security Defender Center
CIS L1 section 78 on windows security defender center
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 01/07/2025 20:21:23 | CIS L1 section 78 on windows security defender center | 01/07/2025 20:21:23 | CIS Windows Security Defender Center | windows10 | 0 | 1 | mdm | 7cbdf2a9-f742-4ad1-a8cc-16af5ef751ea | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Disallow Exploit Protection Override | device_vendor_msft_policy_config_windowsdefendersecuritycenter_disallowexploitprotectionoverride | Windows Defender Security Center | 1 | (Enable) Local users cannot make changes in the exploit protection settings area. |
CIS Windows Update for Business
CIS L1 Section 83 on Windows update for business
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 01/07/2025 20:38:14 | CIS L1 Section 83 on Windows update for business | 01/07/2025 20:38:14 | CIS Windows Update for Business | windows10 | 0 | 7 | mdm | 88e44ae5-4829-423d-a91b-df4a47c16138 | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Allow Auto Update | device_vendor_msft_policy_config_update_allowautoupdate | Windows Update For Business | 3 | Auto install and restart at a specified time. The IT specifies the installation day and time. If no day and time are specified, the default is 3 AM daily. Automatic installation happens at this time and device restart happens after a 15-minute countdown. If the user is logged in when Windows is ready to restart, the user can interrupt the 15-minute countdown to delay the restart. |
| Block “Pause Updates” ability | device_vendor_msft_policy_config_update_setdisablepauseuxaccess | Windows Update For Business | 1 | Block |
| Defer Feature Updates Period In Days | device_vendor_msft_policy_config_update_deferfeatureupdatesperiodindays | Windows Update For Business | 180 | |
| Defer Quality Updates Period (Days) | device_vendor_msft_policy_config_update_deferqualityupdatesperiodindays | Windows Update For Business | 0 | |
| Manage Preview Builds | device_vendor_msft_policy_config_update_managepreviewbuilds | Windows Update For Business | 0 | Disable Preview builds |
| Scheduled Install Day | device_vendor_msft_policy_config_update_scheduledinstallday | Windows Update For Business | 0 | Every day |
| Scheduled Install Time | device_vendor_msft_policy_config_update_scheduledinstalltime | Windows Update For Business | 3 |
Default EDR policy for all devices
Default EDR policy for targetting all tenants devices, created by MDE.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 12/05/2023 19:38:14 | Migration_DI_8af9d54a-d7d2-44b1-8e84-23eafe707b81 | Default EDR policy for targetting all tenants devices, created by MDE. | 12/05/2023 19:38:14 | Default EDR policy for all devices | windows10 | 0 | 2 | mdm,microsoftSense | 93ab48b3-2a7a-4704-8670-67da475b56f0 | @{templateId=0385b795-0f2f-44ac-8602-9f65bf6adede_1; templateFamily=endpointSecurityEndpointDetectionAndResponse; templateDisplayName=Endpoint detection and response; templateDisplayVersion=Version 1} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Microsoft Defender for Endpoint client configuration package type | device_vendor_msft_windowsadvancedthreatprotection_configurationtype | Microsoft Defender for Endpoint | autofromconnector | Auto from connector |
| [Deprecated] Telemetry Reporting Frequency | device_vendor_msft_windowsadvancedthreatprotection_configuration_telemetryreportingfrequency | Microsoft Defender for Endpoint | 2 | Expedite |
EnableControlledFolderAccess
Protects files, folders, and memory areas on devices from unauthorized changes by unfriendly applications such as ransomware.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 05/31/2022 16:41:35 | Protects files, folders, and memory areas on devices from unauthorized changes by unfriendly applications such as ransomware. | 05/31/2022 18:39:14 | EnableControlledFolderAccess | windows10 | 0 | 4 | mdm,microsoftSense | be377908-d5e9-4030-a93c-bab12d04a4c4 | @{templateId=e8c053d6-9f95-42b1-a7f1-ebfd71c67a4b_1; templateFamily=endpointSecurityAttackSurfaceReduction; templateDisplayName=Attack Surface Reduction Rules; templateDisplayVersion=Version 1} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Users | - | BuilIn | - | - | direct | Include |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Use advanced protection against ransomware | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_useadvancedprotectionagainstransomware | Defender | block | Block |
| Enable Controlled Folder Access | device_vendor_msft_policy_config_defender_enablecontrolledfolderaccess | Defender | 2 | Audit Mode |
| Controlled Folder Access Protected Folders | device_vendor_msft_policy_config_defender_controlledfolderaccessprotectedfolders | Defender | C:\Users | |
| Controlled Folder Access Allowed Applications | device_vendor_msft_policy_config_defender_controlledfolderaccessallowedapplications | Defender | System.Object[] |
Firewall Windows default policy
Default policy sets settings for all endpoints that are not governed by any other policy, ensuring that all your clients are managed as soon as MDE is deployed. The default policy is based on a set of pre-configured recommended settings and can be adjusted by user with admin priviledges.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 03/30/2022 23:10:54 | MdeDeviceConfigurationPolicies | Default policy sets settings for all endpoints that are not governed by any other policy, ensuring that all your clients are managed as soon as MDE is deployed. The default policy is based on a set of pre-configured recommended settings and can be adjusted by user with admin priviledges. | 03/30/2022 23:10:54 | Firewall Windows default policy | windows10 | 0 | 3 | mdm,microsoftSense | 1a26b955-e4d1-46ad-90d5-915e768e3dd9 | @{templateId=6078910e-d808-4a9f-a51d-1b8a7bacb7c0_1; templateFamily=endpointSecurityFirewall; templateDisplayName=Windows Firewall; templateDisplayVersion=Version 1} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Enable Domain Network Firewall | vendor_msft_firewall_mdmstore_domainprofile_enablefirewall | Firewall | true | True |
| Enable Private Network Firewall | vendor_msft_firewall_mdmstore_privateprofile_enablefirewall | Firewall | true | True |
| Enable Public Network Firewall | vendor_msft_firewall_mdmstore_publicprofile_enablefirewall | Firewall | true | True |
Full ASR Rule Audit
Audit Mode for ASR Rules
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 11/21/2022 20:45:59 | Audit Mode for ASR Rules | 11/21/2022 20:45:59 | Full ASR Rule Audit | windows10 | 0 | 1 | mdm,microsoftSense | 15c9fbb3-cb19-4c27-b3a5-fe5d116b0dbb | @{templateId=e8c053d6-9f95-42b1-a7f1-ebfd71c67a4b_1; templateFamily=endpointSecurityAttackSurfaceReduction; templateDisplayName=Attack Surface Reduction Rules; templateDisplayVersion=Version 1} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Users | - | BuilIn | - | - | direct | Include |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Block Adobe Reader from creating child processes | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockadobereaderfromcreatingchildprocesses | Defender | audit | Audit |
| Block execution of potentially obfuscated scripts | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutionofpotentiallyobfuscatedscripts | Defender | audit | Audit |
| Block Win32 API calls from Office macros | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockwin32apicallsfromofficemacros | Defender | audit | Audit |
| Block credential stealing from the Windows local security authority subsystem | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockcredentialstealingfromwindowslocalsecurityauthoritysubsystem | Defender | audit | Audit |
| Block executable files from running unless they meet a prevalence, age, or trusted list criterion | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablefilesrunningunlesstheymeetprevalenceagetrustedlistcriterion | Defender | audit | Audit |
| Block JavaScript or VBScript from launching downloaded executable content | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockjavascriptorvbscriptfromlaunchingdownloadedexecutablecontent | Defender | audit | Audit |
| Block Office communication application from creating child processes | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficecommunicationappfromcreatingchildprocesses | Defender | audit | Audit |
| Block all Office applications from creating child processes | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockallofficeapplicationsfromcreatingchildprocesses | Defender | audit | Audit |
| Block untrusted and unsigned processes that run from USB | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockuntrustedunsignedprocessesthatrunfromusb | Defender | audit | Audit |
| Block process creations originating from PSExec and WMI commands | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockprocesscreationsfrompsexecandwmicommands | Defender | audit | Audit |
| Block persistence through WMI event subscription | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockpersistencethroughwmieventsubscription | Defender | audit | Audit |
| Block Office applications from creating executable content | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfromcreatingexecutablecontent | Defender | audit | Audit |
| Block Office applications from injecting code into other processes | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockofficeapplicationsfrominjectingcodeintootherprocesses | Defender | audit | Audit |
| Use advanced protection against ransomware | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_useadvancedprotectionagainstransomware | Defender | audit | Audit |
| Block executable content from email client and webmail | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockexecutablecontentfromemailclientandwebmail | Defender | audit | Audit |
| Block abuse of exploited vulnerable signed drivers (Device) | device_vendor_msft_policy_config_defender_attacksurfacereductionrules_blockabuseofexploitedvulnerablesigneddrivers | Defender | audit | Audit |
Inactivity To Lock Screen
After a period of inactivity on your computer goes to lock screen.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 12/13/2024 17:15:58 | After a period of inactivity on your computer goes to lock screen. | 12/17/2024 23:46:55 | Inactivity To Lock Screen | windows10 | 0 | 2 | mdm | 9280a06c-6830-4553-9123-50a6f42bcb9d | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
| Lab Computers | 1 | DynamicDevice | (device.displayName -startsWith “lab-”) | - | direct | Exclude |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Allow Cortana Above Lock | device_vendor_msft_policy_config_abovelock_allowcortanaabovelock | Above Lock | 0 | Block |
| Interactive Logon Machine Inactivity Limit | device_vendor_msft_policy_config_localpoliciessecurityoptions_interactivelogon_machineinactivitylimit_v2 | Local Policies Security Options | 600 |
Inactivity to lockout (Lab PC’s)
Sets a inactivity lockout specific for lab computers.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 01/15/2025 15:57:50 | Sets a inactivity lockout specific for lab computers. | 02/27/2025 16:45:34 | Inactivity to lockout (Lab PC’s) | windows10 | 0 | 2 | mdm | 8a4de375-7b1c-43d7-bac7-197670e144dd | @{templateId=; templateFamily=none; templateDisplayName=; templateDisplayVersion=} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| Lab Computers | 1 | DynamicDevice | (device.displayName -startsWith “lab-”) | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Interactive Logon Machine Inactivity Limit | device_vendor_msft_policy_config_localpoliciessecurityoptions_interactivelogon_machineinactivitylimit_v2 | Local Policies Security Options | 1200 | |
| Unattended Sleep Timeout Plugged In | device_vendor_msft_policy_config_power_unattendedsleeptimeoutpluggedin | Power | 0 |
MS Edge Baseline
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 06/30/2023 17:26:33 | 12/13/2024 16:28:59 | MS Edge Baseline | windows10 | 0 | 17 | mdm | ff8c048c-6b0a-4624-8bd4-a08b0cf8de68 | @{templateId=c66347b7-8325-4954-a235-3bf2233dfbfd_1; templateFamily=baseline; templateDisplayName=Security Baseline for Microsoft Edge; templateDisplayVersion=Version 112} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| Windows | 1 | DynamicDevice | (device.deviceOSType -eq “Windows”) | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Allow Basic authentication for HTTP | device_vendor_msft_policy_config_microsoft_edgev88.0.705.23~policy~microsoft_edge~httpauthentication_basicauthoverhttpenabled | Microsoft Edge\HTTP authentication | 0 | Disabled |
| Supported authentication schemes | device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~httpauthentication_authschemes | Microsoft Edge\HTTP authentication | 1 | Enabled |
| Allow user-level native messaging hosts (installed without admin permissions) | device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~nativemessaging_nativemessaginguserlevelhosts | Microsoft Edge\Native Messaging | 0 | Disabled |
| Enable saving passwords to the password manager | device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~passwordmanager_passwordmanagerenabled | Microsoft Edge\Password manager and protection | 0 | Disabled |
| Specifies whether to allow insecure websites to make requests to more-private network endpoints | device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge~privatenetworkrequestsettings_insecureprivatenetworkrequestsallowed | Microsoft Edge\ Private Network Request Settings | 0 | Disabled |
| Configure Microsoft Defender SmartScreen | device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_smartscreenenabled | Microsoft Edge\SmartScreen settings | 1 | Enabled |
| Configure Microsoft Defender SmartScreen to block potentially unwanted apps | device_vendor_msft_policy_config_microsoft_edgev80diff~policy~microsoft_edge~smartscreen_smartscreenpuaenabled | Microsoft Edge\SmartScreen settings | 1 | Enabled |
| Prevent bypassing Microsoft Defender SmartScreen prompts for sites | device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge~smartscreen_preventsmartscreenpromptoverride | Microsoft Edge\SmartScreen settings | 1 | Enabled |
| Allow unconfigured sites to be reloaded in Internet Explorer mode | device_vendor_msft_policy_config_microsoft_edgev92~policy~microsoft_edge_internetexplorerintegrationreloadiniemodeallowed | Microsoft Edge | 1 | Enabled |
| Allow users to proceed from the HTTPS warning page | device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_sslerroroverrideallowed | Microsoft Edge | 0 | Disabled |
| Enable browser legacy extension point blocking | device_vendor_msft_policy_config_microsoft_edgev95~policy~microsoft_edge_browserlegacyextensionpointsblockingenabled | Microsoft Edge | 1 | Enabled |
| Enable site isolation for every site | device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_siteperprocess | Microsoft Edge | 1 | Enabled |
| Enhance images enabled (obsolete) | device_vendor_msft_policy_config_microsoft_edgev97~policy~microsoft_edge_edgeenhanceimagesenabled | Microsoft Edge | 0 | Disabled |
| Force WebSQL to be enabled | device_vendor_msft_policy_config_microsoft_edgev107~policy~microsoft_edge_websqlaccess | Microsoft Edge | 0 | Disabled |
| Minimum TLS version enabled | device_vendor_msft_policy_config_microsoft_edge~policy~microsoft_edge_sslversionmin | Microsoft Edge | 1 | Enabled |
| Show the Reload in Internet Explorer mode button in the toolbar | device_vendor_msft_policy_config_microsoft_edgev96~policy~microsoft_edge_internetexplorermodetoolbarbuttonenabled | Microsoft Edge | 0 | Disabled |
| Specifies whether SharedArrayBuffers can be used in a non cross-origin-isolated context | device_vendor_msft_policy_config_microsoft_edgev111~policy~microsoft_edge_sharedarraybufferunrestrictedaccessallowed | Microsoft Edge | 0 | Disabled |
NGP Windows default policy
Default policy sets settings for all endpoints that are not governed by any other policy, ensuring that all your clients are managed as soon as MDE is deployed. The default policy is based on a set of pre-configured recommended settings and can be adjusted by user with admin priviledges.
| createdDateTime | creationSource | description | lastModifiedDateTime | name | platforms | priorityMetaData | roleScopeTagIds | settingCount | technologies | id | templateReference |
| 03/30/2022 23:10:54 | MdeDeviceConfigurationPolicies | Default policy sets settings for all endpoints that are not governed by any other policy, ensuring that all your clients are managed as soon as MDE is deployed. The default policy is based on a set of pre-configured recommended settings and can be adjusted by user with admin priviledges. | 07/07/2023 19:23:08 | NGP Windows default policy | windows10 | 0 | 27 | mdm,microsoftSense | b28bc355-0c75-4460-b7f3-e2c7ae73eb0a | @{templateId=804339ad-1553-4478-a742-138fb5807418_1; templateFamily=endpointSecurityAntivirus; templateDisplayName=Microsoft Defender Antivirus; templateDisplayVersion=Version 1} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Settings
| DisplayName | ID | Path | Value | ValueName |
| Allow Archive Scanning | device_vendor_msft_policy_config_defender_allowarchivescanning | Defender | 1 | Allowed. Scans the archive files. |
| Allow Behavior Monitoring | device_vendor_msft_policy_config_defender_allowbehaviormonitoring | Defender | 1 | Allowed. Turns on real-time behavior monitoring. |
| Allow Cloud Protection | device_vendor_msft_policy_config_defender_allowcloudprotection | Defender | 1 | Allowed. Turns on Cloud Protection. |
| Allow Email Scanning | device_vendor_msft_policy_config_defender_allowemailscanning | Defender | 1 | Allowed. Turns on email scanning. |
| Allow Full Scan On Mapped Network Drives | device_vendor_msft_policy_config_defender_allowfullscanonmappednetworkdrives | Defender | 0 | Not allowed. Disables scanning on mapped network drives. |
| Allow Full Scan Removable Drive Scanning | device_vendor_msft_policy_config_defender_allowfullscanremovabledrivescanning | Defender | 1 | Allowed. Scans removable drives. |
| Allow scanning of all downloaded files and attachments | device_vendor_msft_policy_config_defender_allowioavprotection | Defender | 1 | Allowed. |
| Allow Realtime Monitoring | device_vendor_msft_policy_config_defender_allowrealtimemonitoring | Defender | 1 | Allowed. Turns on and runs the real-time monitoring service. |
| Allow Scanning Network Files | device_vendor_msft_policy_config_defender_allowscanningnetworkfiles | Defender | 0 | Not allowed. Turns off scanning of network files. |
| Allow Script Scanning | device_vendor_msft_policy_config_defender_allowscriptscanning | Defender | 1 | Allowed. |
| Allow User UI Access | device_vendor_msft_policy_config_defender_allowuseruiaccess | Defender | 1 | Allowed. Lets users access UI. |
| Avg CPU Load Factor | device_vendor_msft_policy_config_defender_avgcpuloadfactor | Defender | 50 | |
| Check For Signatures Before Running Scan | device_vendor_msft_policy_config_defender_checkforsignaturesbeforerunningscan | Defender | 1 | Enabled |
| Cloud Block Level | device_vendor_msft_policy_config_defender_cloudblocklevel | Defender | 2 | High |
| Cloud Extended Timeout | device_vendor_msft_policy_config_defender_cloudextendedtimeout | Defender | 50 | |
| Days To Retain Cleaned Malware | device_vendor_msft_policy_config_defender_daystoretaincleanedmalware | Defender | 0 | |
| Disable Catchup Full Scan | device_vendor_msft_policy_config_defender_disablecatchupfullscan | Defender | 0 | Disabled |
| Disable Catchup Quick Scan | device_vendor_msft_policy_config_defender_disablecatchupquickscan | Defender | 0 | Disabled |
| Enable Low CPU Priority | device_vendor_msft_policy_config_defender_enablelowcpupriority | Defender | 0 | Disabled |
| Enable Network Protection | device_vendor_msft_policy_config_defender_enablenetworkprotection | Defender | 1 | Enabled (block mode) |
| PUA Protection | device_vendor_msft_policy_config_defender_puaprotection | Defender | 1 | PUA Protection on. Detected items are blocked. They will show in history along with other threats. |
| Real Time Scan Direction | device_vendor_msft_policy_config_defender_realtimescandirection | Defender | 0 | Monitor all files (bi-directional). |
| Scan Parameter | device_vendor_msft_policy_config_defender_scanparameter | Defender | 1 | Quick scan |
| Schedule Quick Scan Time | device_vendor_msft_policy_config_defender_schedulequickscantime | Defender | 720 | |
| Schedule Scan Day | device_vendor_msft_policy_config_defender_schedulescanday | Defender | 2 | Monday |
| Signature Update Interval | device_vendor_msft_policy_config_defender_signatureupdateinterval | Defender | 4 | |
| Submit Samples Consent | device_vendor_msft_policy_config_defender_submitsamplesconsent | Defender | 1 | Send safe samples automatically. |
Device Configuration
This section contains a list of all device configuration profiles available in Intune.
ADMX Firefox Default Policies
Default Firefox policies to enhance security and usability.
| Property | Value |
| @odata.type | #microsoft.graph.windows10CustomConfiguration |
| id | 2bc3f272-cb4c-486b-b010-6ee05c40bd49 |
| lastModifiedDateTime | 07/06/2022 18:34:07 |
| roleScopeTagIds | 0 |
| supportsScopeTags | True |
| deviceManagementApplicabilityRuleOsEdition | |
| deviceManagementApplicabilityRuleOsVersion | |
| deviceManagementApplicabilityRuleDeviceMode | |
| createdDateTime | 11/08/2021 19:03:51 |
| description | Default Firefox policies to enhance security and usability. |
| displayName | ADMX Firefox Default Policies |
| version | 7 |
| omaSettings |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Users | - | BuilIn | - | apply | direct | Include |
Custom OMA-Uri
| @odata.type | displayName | description | omaUri | secretReferenceValueId | isEncrypted | value |
| #microsoft.graph.omaSettingString | Firefox ADMX | Default Firefox Settings | ./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Firefox/Policy/FirefoxAdmx | aeaba85a-84ce-4deb-b0fd-e22de311a7a7_2bc3f272-cb4c-486b-b010-6ee05c40bd49_b1f1e87d-fc54-4ae5-81f9-1bd8b3dec644 | True | **** |
| #microsoft.graph.omaSettingString | Required Extensions | List of extensions to force install | ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Extensions/ExtensionSettings | aeaba85a-84ce-4deb-b0fd-e22de311a7a7_2bc3f272-cb4c-486b-b010-6ee05c40bd49_f3ec6f4a-f12d-4f51-9978-6cadec4973c1 | True | **** |
Baseline Android Device Restrictions
| Property | Value |
| @odata.type | #microsoft.graph.androidWorkProfileGeneralDeviceConfiguration |
| id | a8b4eeb8-0204-4964-9a6d-a99e7cb17cf4 |
| lastModifiedDateTime | 06/29/2023 22:56:31 |
| roleScopeTagIds | 0 |
| supportsScopeTags | True |
| deviceManagementApplicabilityRuleOsEdition | |
| deviceManagementApplicabilityRuleOsVersion | |
| deviceManagementApplicabilityRuleDeviceMode | |
| createdDateTime | 11/16/2021 19:13:08 |
| description | |
| displayName | Baseline Android Device Restrictions |
| version | 2 |
| passwordBlockFaceUnlock | |
| passwordBlockFingerprintUnlock | |
| passwordBlockIrisUnlock | |
| passwordBlockTrustAgents | |
| passwordExpirationDays | 365 |
| passwordMinimumLength | 10 |
| passwordMinutesOfInactivityBeforeScreenTimeout | 15 |
| passwordPreviousPasswordBlockCount | 5 |
| passwordSignInFailureCountBeforeFactoryReset | 5 |
| passwordRequiredType | required |
| requiredPasswordComplexity | medium |
| workProfileAllowAppInstallsFromUnknownSources | |
| workProfileDataSharingType | allowPersonalToWork |
| workProfileBlockNotificationsWhileDeviceLocked | |
| workProfileBlockAddingAccounts | |
| workProfileBluetoothEnableContactSharing | |
| workProfileBlockScreenCapture | |
| workProfileBlockCrossProfileCallerId | |
| workProfileBlockCamera | |
| workProfileBlockCrossProfileContactsSearch | |
| workProfileBlockCrossProfileCopyPaste | |
| workProfileDefaultAppPermissionPolicy | prompt |
| workProfilePasswordBlockFaceUnlock | |
| workProfilePasswordBlockFingerprintUnlock | |
| workProfilePasswordBlockIrisUnlock | |
| workProfilePasswordBlockTrustAgents | |
| workProfilePasswordExpirationDays | |
| workProfilePasswordMinimumLength | |
| workProfilePasswordMinNumericCharacters | |
| workProfilePasswordMinNonLetterCharacters | |
| workProfilePasswordMinLetterCharacters | |
| workProfilePasswordMinLowerCaseCharacters | |
| workProfilePasswordMinUpperCaseCharacters | |
| workProfilePasswordMinSymbolCharacters | |
| workProfilePasswordMinutesOfInactivityBeforeScreenTimeout | |
| workProfilePasswordPreviousPasswordBlockCount | |
| workProfilePasswordSignInFailureCountBeforeFactoryReset | |
| workProfilePasswordRequiredType | deviceDefault |
| workProfileRequiredPasswordComplexity | none |
| workProfileRequirePassword | |
| securityRequireVerifyApps | True |
| vpnAlwaysOnPackageIdentifier | |
| vpnEnableAlwaysOnLockdownMode | |
| workProfileAllowWidgets | |
| workProfileBlockPersonalAppInstallsFromUnknownSources | True |
| workProfileAccountUse | allowAllExceptGoogleAccounts |
| allowedGoogleAccountDomains | |
| blockUnifiedPasswordForWorkProfile |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| 0 | Static | - | apply | direct | Include |
CIS Miscellaneous Recommendations
CIS L1 section 86 on miscellaneous recommendations
| Property | Value |
| @odata.type | #microsoft.graph.windows10CustomConfiguration |
| id | 722b038d-d199-40f8-9f19-02dae6b1af3b |
| lastModifiedDateTime | 01/07/2025 20:48:18 |
| roleScopeTagIds | 0 |
| supportsScopeTags | True |
| deviceManagementApplicabilityRuleOsVersion | |
| deviceManagementApplicabilityRuleDeviceMode | |
| createdDateTime | 01/07/2025 20:48:18 |
| description | CIS L1 section 86 on miscellaneous recommendations |
| displayName | CIS Miscellaneous Recommendations |
| version | 1 |
| deviceManagementApplicabilityRuleOsEdition | @{osEditionTypes=System.Object[]; name=; ruleType=include} |
| omaSettings |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | apply | direct | Include |
Custom OMA-Uri
| @odata.type | displayName | description | omaUri | secretReferenceValueId | isEncrypted | value | isReadOnly |
| #microsoft.graph.omaSettingInteger | CIS 86.1.2 | autoconnect->hotspot | ./Device/Vendor/MSFT/Policy/Config/Wifi/AllowAutoConnectToWiFiSenseHotspots | False | 0 | False |
CIS System Services
CIS L1 section 69 on system services. Specifically settings the can only be made with a custom oma-uri.
| Property | Value |
| @odata.type | #microsoft.graph.windows10CustomConfiguration |
| id | 2659fe59-61d0-443f-9b7b-bc86a54c0df7 |
| lastModifiedDateTime | 01/08/2025 21:20:44 |
| roleScopeTagIds | 0 |
| supportsScopeTags | True |
| deviceManagementApplicabilityRuleOsVersion | |
| deviceManagementApplicabilityRuleDeviceMode | |
| createdDateTime | 01/08/2025 21:20:44 |
| description | CIS L1 section 69 on system services. Specifically settings the can only be made with a custom oma-uri. |
| displayName | CIS System Services |
| version | 1 |
| deviceManagementApplicabilityRuleOsEdition | @{osEditionTypes=System.Object[]; name=; ruleType=include} |
| omaSettings |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | apply | direct | Include |
Custom OMA-Uri
| @odata.type | displayName | description | omaUri | secretReferenceValueId | isEncrypted | value | isReadOnly |
| #microsoft.graph.omaSettingInteger | 69.3 (L1) Ensure ‘Computer Browser (Browser)’ | ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureComputerBrowserServiceStartupMode | False | 4 | False | ||
| #microsoft.graph.omaSettingInteger | 69.6 (L1) Ensure ‘IIS Admin Service (IISADMIN)’ is set to ‘Disabled’ or ‘Not Installed’ | exception needed for software team | ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureIISAdminServiceStartupMode | False | 4 | False | |
| #microsoft.graph.omaSettingInteger | 69.7 (L1) Ensure ‘Infrared monitor service (irmon)’ is set to ‘Disabled’ or ‘Not Installed’ (Automated) | ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureInfraredMonitorServiceStartupMode | False | 4 | False | ||
| #microsoft.graph.omaSettingInteger | 69.11 (L1) Ensure ‘Microsoft FTP Service (FTPSVC)’ is set to ‘Disabled’ or ‘Not Installed’ (Automated) | ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureMicrosoftFTPServiceStartupMode | False | 4 | False | ||
| #microsoft.graph.omaSettingInteger | 69.24 (L1) Ensure ‘Remote Procedure Call (RPC) Locator (RpcLocator)’ is set to ‘Disabled’ (Automated) | ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureRemoteProcedureCallLocatorServiceStartupMode | False | 4 | False | ||
| #microsoft.graph.omaSettingInteger | 69.26 (L1) Ensure ‘Routing and Remote Access (RemoteAccess)’ is set to ‘Disabled’ (Automated) | ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureRoutingAndRemoteAccessServiceStartupMode | False | 4 | False | ||
| #microsoft.graph.omaSettingInteger | 69.28 (L1) Ensure ‘Simple TCP/IP Services (simptcp)’ is set to ‘Disabled’ or ‘Not Installed’ (Automated) | ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureSimpleTCPIPServicesStartupMode | False | 4 | False | ||
| #microsoft.graph.omaSettingInteger | 69.30 (L1) Ensure ‘Special Administration Console Helper (sacsvr)’ is set to ‘Disabled’ or ‘Not Installed’ (Automated) | ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureSpecialAdministrationConsoleHelperServiceStartupMode | False | 4 | False | ||
| #microsoft.graph.omaSettingInteger | 69.31 (L1) Ensure ‘SSDP Discovery (SSDPSRV)’ is set to ‘Disabled’ (Automated) | ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureSSDPDiscoveryServiceStartupMode | False | 4 | False | ||
| #microsoft.graph.omaSettingInteger | 69.32 (L1) Ensure ‘UPnP Device Host (upnphost)’ is set to ‘Disabled’ (Automated) | ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureUPnPDeviceHostServiceStartupMode | False | 4 | False | ||
| #microsoft.graph.omaSettingInteger | 69.33 (L1) Ensure ‘Web Management Service (WMSvc)’ is set to ‘Disabled’ or ‘Not Installed’ (Automated) | ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWebManagementServiceStartupMode | False | 4 | False | ||
| #microsoft.graph.omaSettingInteger | 69.36 (L1) Ensure ‘Windows Media Player Network Sharing Service (WMPNetworkSvc)’ is set to ‘Disabled’ or ‘Not Installed’ (Automated) | ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWindowsMediaPlayerNetworkSharingServiceStartupMode | False | 4 | False | ||
| #microsoft.graph.omaSettingInteger | 69.37 (L1) Ensure ‘Windows Mobile Hotspot Service (icssvc)’ is set to ‘Disabled’ (Automated) | ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWindowsMobileHotspotServiceStartupMode | False | 4 | False | ||
| #microsoft.graph.omaSettingInteger | 69.41 (L1) Ensure ‘World Wide Web Publishing Service (W3SVC)’ is set to ‘Disabled’ or ‘Not Installed’ (Automated) | ./Device/Vendor/MSFT/Policy/Config/SystemServices/ConfigureWorldWideWebPublishingServiceStartupMode | False | 4 | False |
Disable MS WUDO
Disables Microsofts P2P local network update sharing.
| Property | Value |
| @odata.type | #microsoft.graph.windowsDeliveryOptimizationConfiguration |
| id | a4e50ef4-36e6-4d40-b072-adb3ae1d6ee9 |
| lastModifiedDateTime | 07/27/2022 19:48:10 |
| roleScopeTagIds | 0 |
| supportsScopeTags | True |
| deviceManagementApplicabilityRuleOsEdition | |
| deviceManagementApplicabilityRuleOsVersion | |
| deviceManagementApplicabilityRuleDeviceMode | |
| createdDateTime | 07/27/2022 19:48:10 |
| description | Disables Microsofts P2P local network update sharing. |
| displayName | Disable MS WUDO |
| version | 1 |
| deliveryOptimizationMode | simpleDownload |
| restrictPeerSelectionBy | notConfigured |
| groupIdSource | |
| bandwidthMode | |
| backgroundDownloadFromHttpDelayInSeconds | |
| foregroundDownloadFromHttpDelayInSeconds | |
| minimumRamAllowedToPeerInGigabytes | |
| minimumDiskSizeAllowedToPeerInGigabytes | |
| minimumFileSizeToCacheInMegabytes | |
| minimumBatteryPercentageAllowedToUpload | |
| modifyCacheLocation | |
| maximumCacheAgeInDays | |
| maximumCacheSize | |
| vpnPeerCaching | notConfigured |
| cacheServerHostNames | |
| cacheServerForegroundDownloadFallbackToHttpDelayInSeconds | |
| cacheServerBackgroundDownloadFallbackToHttpDelayInSeconds |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Users | - | BuilIn | - | apply | direct | Include |
| All Devices | - | BuilIn | - | apply | direct | Include |
Mac Approve System Extensions
This profile is needed for MacOS 10.15 (Catalina) or newer. It will be ignored on older MacOS.
| Property | Value |
| @odata.type | #microsoft.graph.macOSExtensionsConfiguration |
| id | 175c09f6-f23c-4d11-bda3-4a8714c81c6b |
| lastModifiedDateTime | 04/08/2022 16:18:44 |
| roleScopeTagIds | 0 |
| supportsScopeTags | True |
| deviceManagementApplicabilityRuleOsEdition | |
| deviceManagementApplicabilityRuleOsVersion | |
| deviceManagementApplicabilityRuleDeviceMode | |
| createdDateTime | 04/08/2022 16:14:57 |
| description | This profile is needed for MacOS 10.15 (Catalina) or newer. It will be ignored on older MacOS. |
| displayName | Mac Approve System Extensions |
| version | 2 |
| kernelExtensionOverridesAllowed | |
| kernelExtensionAllowedTeamIdentifiers | |
| systemExtensionsBlockOverride | |
| systemExtensionsAllowedTeamIdentifiers | |
| kernelExtensionsAllowed | |
| systemExtensionsAllowed | |
| systemExtensionsAllowedTypes |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| Apple Business | 1 | Static | (device.deviceOSType -contains “macOS”) or (device.deviceOSType -contains “OS X”) or (device.deviceModel -contains “MacBook Air”) or (device.deviceModel -contains “MacBook Pro”) | apply | direct | Include |
Mac Defender for Endpoint Full Disk Access
MacOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender for Endpoint is not able to fully protect your device.
This configuration profile grants Full Disk Access to Microsoft Defender for Endpoint.
| Property | Value |
| @odata.type | #microsoft.graph.macOSCustomConfiguration |
| id | 4e6ba603-3ae3-4951-9e9e-80a0196bb6e2 |
| lastModifiedDateTime | 04/08/2022 16:27:10 |
| roleScopeTagIds | 0 |
| supportsScopeTags | True |
| deviceManagementApplicabilityRuleOsEdition | |
| deviceManagementApplicabilityRuleOsVersion | |
| deviceManagementApplicabilityRuleDeviceMode | |
| createdDateTime | 04/08/2022 16:24:29 |
| description | MacOS 10.15 (Catalina) contains new security and privacy enhancements. Beginning with this version, by default, applications are not able to access certain locations on disk (such as Documents, Downloads, Desktop, etc.) without explicit consent. In the absence of this consent, Microsoft Defender for Endpoint is not able to fully protect your device. This configuration profile grants Full Disk Access to Microsoft Defender for Endpoint. |
| displayName | Mac Defender for Endpoint Full Disk Access |
| version | 2 |
| payloadName | Mac MDATP Full Disk Access |
| payloadFileName | fulldisk.mobileconfig |
| payload | PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJzaW9uPSIxIj4KPGRpY3Q+CjxrZXk+UGF5bG9hZFVVSUQ8L2tleT4KPHN0cmluZz4xODZEQjI2RS1COTZGLTREMUItOUM4MC02QUQ3RUZGODdEMDE8L3N0cmluZz4KPGtleT5QYXlsb2FkVHlwZTwva2V5Pgo8c3RyaW5nPkNvbmZpZ3VyYXRpb248L3N0cmluZz4KPGtleT5QYXlsb2FkT3JnYW5pemF0aW9uPC9rZXk+CjxzdHJpbmc+TWljcm9zb2Z0IENvcnBvcmF0aW9uPC9zdHJpbmc+CjxrZXk+UGF5bG9hZElkZW50aWZpZXI8L2tleT4KPHN0cmluZz4xODZEQjI2RS1COTZGLTREMUItOUM4MC02QUQ3RUZGODdEMDE8L3N0cmluZz4KPGtleT5QYXlsb2FkRGlzcGxheU5hbWU8L2tleT4KPHN0cmluZz5EZWZlbmRlciAtIEZ1bGwgRGlzayBBY2Nlc3M8L3N0cmluZz4KPGtleT5QYXlsb2FkRGVzY3JpcHRpb248L2tleT4KPHN0cmluZy8+CjxrZXk+UGF5bG9hZFZlcnNpb248L2tleT4KPGludGVnZXI+MTwvaW50ZWdlcj4KPGtleT5QYXlsb2FkRW5hYmxlZDwva2V5Pgo8dHJ1ZS8+CjxrZXk+UGF5bG9hZFJlbW92YWxEaXNhbGxvd2VkPC9rZXk+Cjx0cnVlLz4KPGtleT5QYXlsb2FkU2NvcGU8L2tleT4KPHN0cmluZz5TeXN0ZW08L3N0cmluZz4KPGtleT5QYXlsb2FkQ29udGVudDwva2V5Pgo8YXJyYXk+CjxkaWN0Pgo8a2V5PlBheWxvYWRVVUlEPC9rZXk+CjxzdHJpbmc+NzgyRUZGQkEtQTE1OC00NTcxLTgyMkQtRDA4NUJBNDNFRDdBPC9zdHJpbmc+CjxrZXk+UGF5bG9hZFR5cGU8L2tleT4KPHN0cmluZz5jb20uYXBwbGUuVENDLmNvbmZpZ3VyYXRpb24tcHJvZmlsZS1wb2xpY3k8L3N0cmluZz4KPGtleT5QYXlsb2FkT3JnYW5pemF0aW9uPC9rZXk+CjxzdHJpbmc+TWljcm9zb2Z0IENvcnBvcmF0aW9uPC9zdHJpbmc+CjxrZXk+UGF5bG9hZElkZW50aWZpZXI8L2tleT4KPHN0cmluZz43ODJFRkZCQS1BMTU4LTQ1NzEtODIyRC1EMDg1QkE0M0VEN0E8L3N0cmluZz4KPGtleT5QYXlsb2FkRGlzcGxheU5hbWU8L2tleT4KPHN0cmluZz5Qcml2YWN5IFByZWZlcmVuY2VzIFBvbGljeSBDb250cm9sPC9zdHJpbmc+CjxrZXk+UGF5bG9hZERlc2NyaXB0aW9uPC9rZXk+CjxzdHJpbmcvPgo8a2V5PlBheWxvYWRWZXJzaW9uPC9rZXk+CjxpbnRlZ2VyPjE8L2ludGVnZXI+CjxrZXk+UGF5bG9hZEVuYWJsZWQ8L2tleT4KPHRydWUvPgo8a2V5PlNlcnZpY2VzPC9rZXk+CjxkaWN0Pgo8a2V5PlN5c3RlbVBvbGljeUFsbEZpbGVzPC9rZXk+CjxhcnJheT4KPGRpY3Q+CjxrZXk+SWRlbnRpZmllcjwva2V5Pgo8c3RyaW5nPmNvbS5taWNyb3NvZnQud2Rhdjwvc3RyaW5nPgo8a2V5PkNvZGVSZXF1aXJlbWVudDwva2V5Pgo8c3RyaW5nPmlkZW50aWZpZXIgImNvbS5taWNyb3NvZnQud2RhdiIgYW5kIGFuY2hvciBhcHBsZSBnZW5lcmljIGFuZCBjZXJ0aWZpY2F0ZSAxW2ZpZWxkLjEuMi44NDAuMTEzNjM1LjEwMC42LjIuNl0gLyogZXhpc3RzICovIGFuZCBjZXJ0aWZpY2F0ZSBsZWFmW2ZpZWxkLjEuMi44NDAuMTEzNjM1LjEwMC42LjEuMTNdIC8qIGV4aXN0cyAqLyBhbmQgY2VydGlmaWNhdGUgbGVhZltzdWJqZWN0Lk9VXSA9IFVCRjhUMzQ2Rzk8L3N0cmluZz4KPGtleT5JZGVudGlmaWVyVHlwZTwva2V5Pgo8c3RyaW5nPmJ1bmRsZUlEPC9zdHJpbmc+CjxrZXk+U3RhdGljQ29kZTwva2V5Pgo8aW50ZWdlcj4wPC9pbnRlZ2VyPgo8a2V5PkFsbG93ZWQ8L2tleT4KPGludGVnZXI+MTwvaW50ZWdlcj4KPC9kaWN0Pgo8ZGljdD4KPGtleT5JZGVudGlmaWVyPC9rZXk+CjxzdHJpbmc+Y29tLm1pY3Jvc29mdC53ZGF2LmVwc2V4dDwvc3RyaW5nPgo8a2V5PkNvZGVSZXF1aXJlbWVudDwva2V5Pgo8c3RyaW5nPmlkZW50aWZpZXIgImNvbS5taWNyb3NvZnQud2Rhdi5lcHNleHQiIGFuZCBhbmNob3IgYXBwbGUgZ2VuZXJpYyBhbmQgY2VydGlmaWNhdGUgMVtmaWVsZC4xLjIuODQwLjExMzYzNS4xMDAuNi4yLjZdIC8qIGV4aXN0cyAqLyBhbmQgY2VydGlmaWNhdGUgbGVhZltmaWVsZC4xLjIuODQwLjExMzYzNS4xMDAuNi4xLjEzXSAvKiBleGlzdHMgKi8gYW5kIGNlcnRpZmljYXRlIGxlYWZbc3ViamVjdC5PVV0gPSBVQkY4VDM0Nkc5PC9zdHJpbmc+CjxrZXk+SWRlbnRpZmllclR5cGU8L2tleT4KPHN0cmluZz5idW5kbGVJRDwvc3RyaW5nPgo8a2V5PlN0YXRpY0NvZGU8L2tleT4KPGludGVnZXI+MDwvaW50ZWdlcj4KPGtleT5BbGxvd2VkPC9rZXk+CjxpbnRlZ2VyPjE8L2ludGVnZXI+CjwvZGljdD4KPGRpY3Q+CjxrZXk+SWRlbnRpZmllcjwva2V5Pgo8c3RyaW5nPmNvbS5taWNyb3NvZnQuZGxwLmRhZW1vbjwvc3RyaW5nPgo8a2V5PkNvZGVSZXF1aXJlbWVudDwva2V5Pgo8c3RyaW5nPmlkZW50aWZpZXIgImNvbS5taWNyb3NvZnQuZGxwLmRhZW1vbiIgYW5kIGFuY2hvciBhcHBsZSBnZW5lcmljIGFuZCBjZXJ0aWZpY2F0ZSAxW2ZpZWxkLjEuMi44NDAuMTEzNjM1LjEwMC42LjIuNl0gLyogZXhpc3RzICovIGFuZCBjZXJ0aWZpY2F0ZSBsZWFmW2ZpZWxkLjEuMi44NDAuMTEzNjM1LjEwMC42LjEuMTNdIC8qIGV4aXN0cyAqLyBhbmQgY2VydGlmaWNhdGUgbGVhZltzdWJqZWN0Lk9VXSA9IFVCRjhUMzQ2Rzk8L3N0cmluZz4KPGtleT5JZGVudGlmaWVyVHlwZTwva2V5Pgo8c3RyaW5nPmJ1bmRsZUlEPC9zdHJpbmc+CjxrZXk+U3RhdGljQ29kZTwva2V5Pgo8aW50ZWdlcj4wPC9pbnRlZ2VyPgo8a2V5PkFsbG93ZWQ8L2tleT4KPGludGVnZXI+MTwvaW50ZWdlcj4KPC9kaWN0Pgo8L2FycmF5Pgo8L2RpY3Q+CjwvZGljdD4KPC9hcnJheT4KPC9kaWN0Pgo8L3BsaXN0Pgo= |
| deploymentChannel | deviceChannel |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| Apple Business | 1 | Static | (device.deviceOSType -contains “macOS”) or (device.deviceOSType -contains “OS X”) or (device.deviceModel -contains “MacBook Air”) or (device.deviceModel -contains “MacBook Pro”) | apply | direct | Include |
Mac Defender for Endpoint Network Filter
As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on macOS inspects socket traffic and reports this information to the Microsoft 365 Defender portal. The following policy allows the network extension to perform this functionality.
| Property | Value |
| @odata.type | #microsoft.graph.macOSCustomConfiguration |
| id | 5d61dac5-40ce-47d8-80fc-73e8dbaa48ba |
| lastModifiedDateTime | 04/08/2022 16:26:17 |
| roleScopeTagIds | 0 |
| supportsScopeTags | True |
| deviceManagementApplicabilityRuleOsEdition | |
| deviceManagementApplicabilityRuleOsVersion | |
| deviceManagementApplicabilityRuleDeviceMode | |
| createdDateTime | 04/08/2022 16:26:17 |
| description | As part of the Endpoint Detection and Response capabilities, Microsoft Defender for Endpoint on macOS inspects socket traffic and reports this information to the Microsoft 365 Defender portal. The following policy allows the network extension to perform this functionality. |
| displayName | Mac Defender for Endpoint Network Filter |
| version | 1 |
| payloadName | Mac Defender for Endpoint Network Filter |
| payloadFileName | netfilter.mobileconfig |
| payload | PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJzaW9uPSIxIj4KPGRpY3Q+CjxrZXk+UGF5bG9hZFVVSUQ8L2tleT4KPHN0cmluZz4xQTg1M0REQi0zN0FCLTRENEYtQjc0RC0xNTE5N0ZFRjY0MjM8L3N0cmluZz4KPGtleT5QYXlsb2FkVHlwZTwva2V5Pgo8c3RyaW5nPkNvbmZpZ3VyYXRpb248L3N0cmluZz4KPGtleT5QYXlsb2FkT3JnYW5pemF0aW9uPC9rZXk+CjxzdHJpbmc+TWljcm9zb2Z0IENvcnBvcmF0aW9uPC9zdHJpbmc+CjxrZXk+UGF5bG9hZElkZW50aWZpZXI8L2tleT4KPHN0cmluZz4xQTg1M0REQi0zN0FCLTRENEYtQjc0RC0xNTE5N0ZFRjY0MjM8L3N0cmluZz4KPGtleT5QYXlsb2FkRGlzcGxheU5hbWU8L2tleT4KPHN0cmluZz5EZWZlbmRlciAtIE5ldHdvcmsgRmlsdGVyPC9zdHJpbmc+CjxrZXk+UGF5bG9hZERlc2NyaXB0aW9uPC9rZXk+CjxzdHJpbmcvPgo8a2V5PlBheWxvYWRWZXJzaW9uPC9rZXk+CjxpbnRlZ2VyPjE8L2ludGVnZXI+CjxrZXk+UGF5bG9hZEVuYWJsZWQ8L2tleT4KPHRydWUvPgo8a2V5PlBheWxvYWRSZW1vdmFsRGlzYWxsb3dlZDwva2V5Pgo8dHJ1ZS8+CjxrZXk+UGF5bG9hZFNjb3BlPC9rZXk+CjxzdHJpbmc+U3lzdGVtPC9zdHJpbmc+CjxrZXk+UGF5bG9hZENvbnRlbnQ8L2tleT4KPGFycmF5Pgo8ZGljdD4KPGtleT5GaWx0ZXJEYXRhUHJvdmlkZXJCdW5kbGVJZGVudGlmaWVyPC9rZXk+CjxzdHJpbmc+Y29tLm1pY3Jvc29mdC53ZGF2Lm5ldGV4dDwvc3RyaW5nPgo8a2V5PkZpbHRlckRhdGFQcm92aWRlckRlc2lnbmF0ZWRSZXF1aXJlbWVudDwva2V5Pgo8c3RyaW5nPmlkZW50aWZpZXIgImNvbS5taWNyb3NvZnQud2Rhdi5uZXRleHQiIGFuZCBhbmNob3IgYXBwbGUgZ2VuZXJpYyBhbmQgY2VydGlmaWNhdGUgMVtmaWVsZC4xLjIuODQwLjExMzYzNS4xMDAuNi4yLjZdIC8qIGV4aXN0cyAqLyBhbmQgY2VydGlmaWNhdGUgbGVhZltmaWVsZC4xLjIuODQwLjExMzYzNS4xMDAuNi4xLjEzXSAvKiBleGlzdHMgKi8gYW5kIGNlcnRpZmljYXRlIGxlYWZbc3ViamVjdC5PVV0gPSBVQkY4VDM0Nkc5PC9zdHJpbmc+CjxrZXk+RmlsdGVyR3JhZGU8L2tleT4KPHN0cmluZz5pbnNwZWN0b3I8L3N0cmluZz4KPGtleT5GaWx0ZXJQYWNrZXRzPC9rZXk+CjxmYWxzZS8+CjxrZXk+RmlsdGVyU29ja2V0czwva2V5Pgo8dHJ1ZS8+CjxrZXk+RmlsdGVyVHlwZTwva2V5Pgo8c3RyaW5nPlBsdWdpbjwvc3RyaW5nPgo8a2V5PlBheWxvYWREaXNwbGF5TmFtZTwva2V5Pgo8c3RyaW5nPldlYiBDb250ZW50IEZpbHRlciBQYXlsb2FkPC9zdHJpbmc+CjxrZXk+UGF5bG9hZElkZW50aWZpZXI8L2tleT4KPHN0cmluZz4yODNGNEJGMC03ODhBLTQ0MzUtOUI2Mi0zRTAwODk2MzU4RDc8L3N0cmluZz4KPGtleT5QYXlsb2FkT3JnYW5pemF0aW9uPC9rZXk+CjxzdHJpbmc+SkFNRiBTb2Z0d2FyZTwvc3RyaW5nPgo8a2V5PlBheWxvYWRUeXBlPC9rZXk+CjxzdHJpbmc+Y29tLmFwcGxlLndlYmNvbnRlbnQtZmlsdGVyPC9zdHJpbmc+CjxrZXk+UGF5bG9hZFVVSUQ8L2tleT4KPHN0cmluZz4yODNGNEJGMC03ODhBLTQ0MzUtOUI2Mi0zRTAwODk2MzU4RDc8L3N0cmluZz4KPGtleT5QYXlsb2FkVmVyc2lvbjwva2V5Pgo8aW50ZWdlcj4xPC9pbnRlZ2VyPgo8a2V5PlBsdWdpbkJ1bmRsZUlEPC9rZXk+CjxzdHJpbmc+Y29tLm1pY3Jvc29mdC53ZGF2PC9zdHJpbmc+CjxrZXk+VXNlckRlZmluZWROYW1lPC9rZXk+CjxzdHJpbmc+TWljcm9zb2Z0IERlZmVuZGVyIENvbnRlbnQgRmlsdGVyPC9zdHJpbmc+CjwvZGljdD4KPC9hcnJheT4KPC9kaWN0Pgo8L3BsaXN0Pgo= |
| deploymentChannel | deviceChannel |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| Apple Business | 1 | Static | (device.deviceOSType -contains “macOS”) or (device.deviceOSType -contains “OS X”) or (device.deviceModel -contains “MacBook Air”) or (device.deviceModel -contains “MacBook Pro”) | apply | direct | Include |
Mac Defender for Endpoint Notifications
This profile is used to allow Microsoft Defender for Endpoint on macOS and Microsoft Auto Update to display notifications in UI on macOS 10.15 (Catalina) or newer.
| Property | Value |
| @odata.type | #microsoft.graph.macOSCustomConfiguration |
| id | 43e52813-e3b7-478e-a692-a52cddf1b3f1 |
| lastModifiedDateTime | 04/08/2022 16:28:34 |
| roleScopeTagIds | 0 |
| supportsScopeTags | True |
| deviceManagementApplicabilityRuleOsEdition | |
| deviceManagementApplicabilityRuleOsVersion | |
| deviceManagementApplicabilityRuleDeviceMode | |
| createdDateTime | 04/08/2022 16:28:34 |
| description | This profile is used to allow Microsoft Defender for Endpoint on macOS and Microsoft Auto Update to display notifications in UI on macOS 10.15 (Catalina) or newer. |
| displayName | Mac Defender for Endpoint Notifications |
| version | 1 |
| payloadName | Mac Defender for Endpoint Notifications |
| payloadFileName | notif.mobileconfig |
| payload | PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCFET0NUWVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJzaW9uPSIxIj4KPGRpY3Q+CjxrZXk+UGF5bG9hZFVVSUQ8L2tleT4KPHN0cmluZz5FMUUwRDNGNy01NDZGLTQ4NjctQjY1NS02NjlFMTM2MUFCRTU8L3N0cmluZz4KPGtleT5QYXlsb2FkVHlwZTwva2V5Pgo8c3RyaW5nPkNvbmZpZ3VyYXRpb248L3N0cmluZz4KPGtleT5QYXlsb2FkT3JnYW5pemF0aW9uPC9rZXk+CjxzdHJpbmc+TWljcm9zb2Z0IENvcnBvcmF0aW9uPC9zdHJpbmc+CjxrZXk+UGF5bG9hZElkZW50aWZpZXI8L2tleT4KPHN0cmluZz5FMUUwRDNGNy01NDZGLTQ4NjctQjY1NS02NjlFMTM2MUFCRTU8L3N0cmluZz4KPGtleT5QYXlsb2FkRGlzcGxheU5hbWU8L2tleT4KPHN0cmluZz5EZWZlbmRlciAtIE5vdGlmaWNhdGlvbnM8L3N0cmluZz4KPGtleT5QYXlsb2FkRGVzY3JpcHRpb248L2tleT4KPHN0cmluZy8+CjxrZXk+UGF5bG9hZFZlcnNpb248L2tleT4KPGludGVnZXI+MTwvaW50ZWdlcj4KPGtleT5QYXlsb2FkRW5hYmxlZDwva2V5Pgo8dHJ1ZS8+CjxrZXk+UGF5bG9hZFJlbW92YWxEaXNhbGxvd2VkPC9rZXk+Cjx0cnVlLz4KPGtleT5QYXlsb2FkU2NvcGU8L2tleT4KPHN0cmluZz5TeXN0ZW08L3N0cmluZz4KPGtleT5QYXlsb2FkQ29udGVudDwva2V5Pgo8YXJyYXk+CjxkaWN0Pgo8a2V5PlBheWxvYWREaXNwbGF5TmFtZTwva2V5Pgo8c3RyaW5nPk5vdGlmaWNhdGlvbnMgUGF5bG9hZDwvc3RyaW5nPgo8a2V5PlBheWxvYWRJZGVudGlmaWVyPC9rZXk+CjxzdHJpbmc+MDVCRjcyMjEtMjQ3MC00NzdELTk5QjMtMTcyOUIxOTMyQkRCPC9zdHJpbmc+CjxrZXk+UGF5bG9hZE9yZ2FuaXphdGlvbjwva2V5Pgo8c3RyaW5nPk1pY3Jvc29mdCBDb3Jwb3JhdGlvbjwvc3RyaW5nPgo8a2V5PlBheWxvYWRUeXBlPC9rZXk+CjxzdHJpbmc+Y29tLmFwcGxlLm5vdGlmaWNhdGlvbnNldHRpbmdzPC9zdHJpbmc+CjxrZXk+UGF5bG9hZFVVSUQ8L2tleT4KPHN0cmluZz4wNUJGNzIyMS0yNDcwLTQ3N0QtOTlCMy0xNzI5QjE5MzJCREI8L3N0cmluZz4KPGtleT5QYXlsb2FkVmVyc2lvbjwva2V5Pgo8aW50ZWdlcj4xPC9pbnRlZ2VyPgo8a2V5Pk5vdGlmaWNhdGlvblNldHRpbmdzPC9rZXk+CjxhcnJheT4KPGRpY3Q+CjxrZXk+QWxlcnRUeXBlPC9rZXk+CjxpbnRlZ2VyPjE8L2ludGVnZXI+CjxrZXk+QmFkZ2VzRW5hYmxlZDwva2V5Pgo8dHJ1ZS8+CjxrZXk+QnVuZGxlSWRlbnRpZmllcjwva2V5Pgo8c3RyaW5nPmNvbS5taWNyb3NvZnQuYXV0b3VwZGF0ZTI8L3N0cmluZz4KPGtleT5Dcml0aWNhbEFsZXJ0RW5hYmxlZDwva2V5Pgo8ZmFsc2UvPgo8a2V5Pk5vdGlmaWNhdGlvbnNFbmFibGVkPC9rZXk+Cjx0cnVlLz4KPGtleT5TaG93SW5Mb2NrU2NyZWVuPC9rZXk+CjxmYWxzZS8+CjxrZXk+U2hvd0luTm90aWZpY2F0aW9uQ2VudGVyPC9rZXk+Cjx0cnVlLz4KPGtleT5Tb3VuZHNFbmFibGVkPC9rZXk+Cjx0cnVlLz4KPC9kaWN0Pgo8ZGljdD4KPGtleT5BbGVydFR5cGU8L2tleT4KPGludGVnZXI+MTwvaW50ZWdlcj4KPGtleT5CYWRnZXNFbmFibGVkPC9rZXk+Cjx0cnVlLz4KPGtleT5CdW5kbGVJZGVudGlmaWVyPC9rZXk+CjxzdHJpbmc+Y29tLm1pY3Jvc29mdC53ZGF2LnRyYXk8L3N0cmluZz4KPGtleT5Dcml0aWNhbEFsZXJ0RW5hYmxlZDwva2V5Pgo8ZmFsc2UvPgo8a2V5Pk5vdGlmaWNhdGlvbnNFbmFibGVkPC9rZXk+Cjx0cnVlLz4KPGtleT5TaG93SW5Mb2NrU2NyZWVuPC9rZXk+CjxmYWxzZS8+CjxrZXk+U2hvd0luTm90aWZpY2F0aW9uQ2VudGVyPC9rZXk+Cjx0cnVlLz4KPGtleT5Tb3VuZHNFbmFibGVkPC9rZXk+Cjx0cnVlLz4KPC9kaWN0Pgo8L2FycmF5Pgo8L2RpY3Q+CjwvYXJyYXk+CjwvZGljdD4KPC9wbGlzdD4K |
| deploymentChannel | deviceChannel |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| Apple Business | 1 | Static | (device.deviceOSType -contains “macOS”) or (device.deviceOSType -contains “OS X”) or (device.deviceModel -contains “MacBook Air”) or (device.deviceModel -contains “MacBook Pro”) | apply | direct | Include |
Mac Firewall
Require enable/disable firewall on MacOS devices.
| Property | Value |
| @odata.type | #microsoft.graph.macOSEndpointProtectionConfiguration |
| id | be972483-7f59-4965-bbd7-41aaa9c0b1cc |
| lastModifiedDateTime | 05/26/2022 17:04:45 |
| roleScopeTagIds | 0 |
| supportsScopeTags | True |
| deviceManagementApplicabilityRuleOsEdition | |
| deviceManagementApplicabilityRuleOsVersion | |
| deviceManagementApplicabilityRuleDeviceMode | |
| createdDateTime | 05/26/2022 17:04:45 |
| description | Require enable/disable firewall on MacOS devices. |
| displayName | Mac Firewall |
| version | 1 |
| gatekeeperAllowedAppSource | macAppStoreAndIdentifiedDevelopers |
| gatekeeperBlockOverride | True |
| firewallEnabled | True |
| firewallBlockAllIncoming | |
| firewallEnableStealthMode | True |
| fileVaultEnabled | |
| fileVaultSelectedRecoveryKeyTypes | notConfigured |
| fileVaultInstitutionalRecoveryKeyCertificate | |
| fileVaultInstitutionalRecoveryKeyCertificateFileName | |
| fileVaultPersonalRecoveryKeyHelpMessage | |
| fileVaultAllowDeferralUntilSignOut | |
| fileVaultNumberOfTimesUserCanIgnore | |
| fileVaultDisablePromptAtSignOut | |
| fileVaultPersonalRecoveryKeyRotationInMonths | |
| fileVaultHidePersonalRecoveryKey | |
| advancedThreatProtectionRealTime | notConfigured |
| advancedThreatProtectionCloudDelivered | notConfigured |
| advancedThreatProtectionAutomaticSampleSubmission | notConfigured |
| advancedThreatProtectionDiagnosticDataCollection | notConfigured |
| advancedThreatProtectionExcludedFolders | |
| advancedThreatProtectionExcludedFiles | |
| advancedThreatProtectionExcludedExtensions | |
| advancedThreatProtectionExcludedProcesses | |
| firewallApplications |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| Apple Business | 1 | Static | (device.deviceOSType -contains “macOS”) or (device.deviceOSType -contains “OS X”) or (device.deviceModel -contains “MacBook Air”) or (device.deviceModel -contains “MacBook Pro”) | apply | direct | Include |
Mac Kernel Extensions
This profile is needed for MacOS 10.15 (Catalina) or older. It will be ignored on newer MacOS.
| Property | Value |
| @odata.type | #microsoft.graph.macOSExtensionsConfiguration |
| id | a4dc11b2-744a-4cff-88a3-1190841b926e |
| lastModifiedDateTime | 04/08/2022 16:16:51 |
| roleScopeTagIds | 0 |
| supportsScopeTags | True |
| deviceManagementApplicabilityRuleOsEdition | |
| deviceManagementApplicabilityRuleOsVersion | |
| deviceManagementApplicabilityRuleDeviceMode | |
| createdDateTime | 04/08/2022 16:16:51 |
| description | This profile is needed for MacOS 10.15 (Catalina) or older. It will be ignored on newer MacOS. |
| displayName | Mac Kernel Extensions |
| version | 1 |
| kernelExtensionOverridesAllowed | |
| kernelExtensionAllowedTeamIdentifiers | UBF8T346G9 |
| systemExtensionsBlockOverride | |
| systemExtensionsAllowedTeamIdentifiers | |
| kernelExtensionsAllowed | |
| systemExtensionsAllowed | |
| systemExtensionsAllowedTypes |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| Apple Business | 1 | Static | (device.deviceOSType -contains “macOS”) or (device.deviceOSType -contains “OS X”) or (device.deviceModel -contains “MacBook Air”) or (device.deviceModel -contains “MacBook Pro”) | apply | direct | Include |
Mac MDATP onboarding
Required for all Mac versions
| Property | Value |
| @odata.type | #microsoft.graph.macOSCustomConfiguration |
| id | e8e07c2d-2bc0-4353-966b-28a2bf8523ca |
| lastModifiedDateTime | 04/08/2022 16:18:00 |
| roleScopeTagIds | 0 |
| supportsScopeTags | True |
| deviceManagementApplicabilityRuleOsEdition | |
| deviceManagementApplicabilityRuleOsVersion | |
| deviceManagementApplicabilityRuleDeviceMode | |
| createdDateTime | 04/08/2022 16:10:49 |
| description | Required for all Mac versions |
| displayName | Mac MDATP onboarding |
| version | 2 |
| payloadName | MDATP onboarding for MacOS |
| payloadFileName | WindowsDefenderATPOnboarding.xml |
| payload | PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0idXRmLTgiPz4KPCFET0NUWVBFIHBsaXN0IFBVQkxJQyAiLS8vQXBwbGUvL0RURCBQTElTVCAxLjAvL0VOIiAiaHR0cDovL3d3dy5hcHBsZS5jb20vRFREcy9Qcm9wZXJ0eUxpc3QtMS4wLmR0ZCI+CjxwbGlzdCB2ZXJzaW9uPSIxIj4KICAgIDxkaWN0PgogICAgICAgIDxrZXk+UGF5bG9hZFVVSUQ8L2tleT4KICAgICAgICA8c3RyaW5nPkEyN0Y1MjRGLTdBNTQtNEU5QS1CNDU5LUI1MEEzMjFDNDI5NTwvc3RyaW5nPgogICAgICAgIDxrZXk+UGF5bG9hZFR5cGU8L2tleT4KICAgICAgICA8c3RyaW5nPkNvbmZpZ3VyYXRpb248L3N0cmluZz4KICAgICAgICA8a2V5PlBheWxvYWRPcmdhbml6YXRpb248L2tleT4KICAgICAgICA8c3RyaW5nPk1pY3Jvc29mdDwvc3RyaW5nPgogICAgICAgIDxrZXk+UGF5bG9hZElkZW50aWZpZXI8L2tleT4KICAgICAgICA8c3RyaW5nPkEyN0Y1MjRGLTdBNTQtNEU5QS1CNDU5LUI1MEEzMjFDNDI5NTwvc3RyaW5nPgogICAgICAgIDxrZXk+UGF5bG9hZERpc3BsYXlOYW1lPC9rZXk+CiAgICAgICAgPHN0cmluZz5XREFUUCBzZXR0aW5nczwvc3RyaW5nPgogICAgICAgIDxrZXk+UGF5bG9hZERlc2NyaXB0aW9uPC9rZXk+CiAgICAgICAgPHN0cmluZz5XREFUUCBjb25maWd1cmF0aW9uIHNldHRpbmdzLjwvc3RyaW5nPgogICAgICAgIDxrZXk+UGF5bG9hZFZlcnNpb248L2tleT4KICAgICAgICA8aW50ZWdlcj4xPC9pbnRlZ2VyPgogICAgICAgIDxrZXk+UGF5bG9hZEVuYWJsZWQ8L2tleT4KICAgICAgICA8dHJ1ZS8+CiAgICAgICAgPGtleT5QYXlsb2FkUmVtb3ZhbERpc2FsbG93ZWQ8L2tleT4KICAgICAgICA8dHJ1ZS8+CiAgICAgICAgPGtleT5QYXlsb2FkU2NvcGU8L2tleT4KICAgICAgICA8c3RyaW5nPlN5c3RlbTwvc3RyaW5nPgogICAgICAgIDxrZXk+UGF5bG9hZENvbnRlbnQ8L2tleT4KICAgICAgICA8YXJyYXk+CiAgICAgICAgICAgIDxkaWN0PgogICAgICAgICAgICAgICAgPGtleT5QYXlsb2FkVVVJRDwva2V5PgogICAgICAgICAgICAgICAgPHN0cmluZz5ENzExNDNFOS04RjQxLTQ3RUUtOENEMi02OTQ5NUU4MkM2QUM8L3N0cmluZz4KICAgICAgICAgICAgICAgIDxrZXk+UGF5bG9hZFR5cGU8L2tleT4KICAgICAgICAgICAgICAgIDxzdHJpbmc+Y29tLm1pY3Jvc29mdC53ZGF2LmF0cDwvc3RyaW5nPgogICAgICAgICAgICAgICAgPGtleT5QYXlsb2FkT3JnYW5pemF0aW9uPC9rZXk+CiAgICAgICAgICAgICAgICA8c3RyaW5nPk1pY3Jvc29mdDwvc3RyaW5nPgogICAgICAgICAgICAgICAgPGtleT5QYXlsb2FkSWRlbnRpZmllcjwva2V5PgogICAgICAgICAgICAgICAgPHN0cmluZz5ENzExNDNFOS04RjQxLTQ3RUUtOENEMi02OTQ5NUU4MkM2QUM8L3N0cmluZz4KICAgICAgICAgICAgICAgIDxrZXk+UGF5bG9hZERpc3BsYXlOYW1lPC9rZXk+CiAgICAgICAgICAgICAgICA8c3RyaW5nPldEQVRQIGNvbmZpZ3VyYXRpb24gc2V0dGluZ3M8L3N0cmluZz4KICAgICAgICAgICAgICAgIDxrZXk+UGF5bG9hZERlc2NyaXB0aW9uPC9rZXk+CiAgICAgICAgICAgICAgICA8c3RyaW5nLz4KICAgICAgICAgICAgICAgIDxrZXk+UGF5bG9hZFZlcnNpb248L2tleT4KICAgICAgICAgICAgICAgIDxpbnRlZ2VyPjE8L2ludGVnZXI+CiAgICAgICAgICAgICAgICA8a2V5PlBheWxvYWRFbmFibGVkPC9rZXk+CiAgICAgICAgICAgICAgICA8dHJ1ZS8+CiAgICAgICAgICAgICAgICA8a2V5PkFsbG93VXNlck92ZXJyaWRlczwva2V5PgogICAgICAgICAgICAgICAgPHRydWUvPgogICAgICAgICAgICAgICAgPGtleT5PcmdJZDwva2V5PgogICAgICAgICAgICAgICAgPHN0cmluZz4yMTUzZGZmNy01Mzk0LTRhZDYtYTI5My00NDg2YzE5YjE3MDI8L3N0cmluZz4KICAgICAgICAgICAgICAgIDxrZXk+T25ib2FyZGluZ0luZm88L2tleT4KICAgICAgICAgICAgICAgIDxzdHJpbmc+eyJib2R5Ijoie1wicHJldmlvdXNPcmdJZHNcIjpbXSxcIm9yZ0lkXCI6XCIyMTUzZGZmNy01Mzk0LTRhZDYtYTI5My00NDg2YzE5YjE3MDJcIixcImdlb0xvY2F0aW9uVXJsXCI6XCJodHRwczovL3dpbmF0cC1ndy1jdXMzLm1pY3Jvc29mdC5jb20vXCIsXCJkYXRhY2VudGVyXCI6XCJDZW50cmFsVXMzXCIsXCJ2b3J0ZXhHZW9Mb2NhdGlvblwiOlwiVVNcIixcInZlcnNpb25cIjpcIjEuMzVcIn0iLCJzaWciOiJnTEF5ZjFNdzYybEVwd2g2clJkVW1XdkU3bkpQWHdSeGdDa3pncE9ScXpCT0xEcDFVc20wQ1h4cCtWWDlMU0lNMHNndmdBK3ltTFo4N1BRZ04zZG9tUGRRLyt0STcwbmZzV2s1TFlaWVUvbG9zeGtkRWhqOWpIeml6K1VwVjRZV1pUeFprdloxQVFWaWVqVUp2VXZqUlpYMUFFYjV6cXBicmlJaXRKZXBOYXB0b2dvTjlEaFVFVTljT0NwRVBtMjJIVEJVeFJMQVBxQUF4UzcwMnM0bndrRFNFTEpyUmhKSmJKUjNpSHFyTWlkTGJUM2N2SHdESUxHV2MwS3VmWWdaQy9HRitEYndUL3BPYWhrUGU0d054MkkwSWx3eFV5dHQxRE1RdHUvSnIzWlVwUzRpdVRlNmM1M3RqMWxoVGYyQkxSWFZYWUxsaDN4aU8xUnVSU0o5dGc9PSIsInNoYTI1NnNpZyI6IlQ1cG9vZThwTE9aQjlqcGZvVzcvNzdQZzdnRVpLS3RkaDJPVW14Ry9tbXBLalY1U0RYbzBZS09jM04xNklaY1VGVWZ0UXFRR0M3eiszOHI2VEx6bVcrVmlsWlpuMy9QckpPQ2hscXl1cDdoeGVSbmlOWTVId04vMGp5UjBrN2IzRU5ZeGJjODloN3kreWZvVVUxUEorTWc1Vk80WVY3RElKdmNDVHVsWnpOQlBaVUx3UXJ5bjNzelZPM3FCL3Y2QzdFbzF5a2g3N3hNQUxza1RnYi80U1dYUG5CcUZnZzRuOHByVDh4UXo3NTdEN09CbEFGbjY0dERqNVRLbWczTDVIbW5hU3FmdE4rL1UvTHZLb3FqVmxURExLS0pqelp0bDlzZTlCRVVVb0prYlNpV09pSms3Zmw1VUhDWjJxNnhZUEl6WXpoYkg2bTV0OTgwaXU4ckN2dz09IiwiY2VydCI6Ik1JSUZnekNDQTJ1Z0F3SUJBZ0lUTXdBQUFibnZhYTNCdGREaXlRQUFBQUFCdVRBTkJna3Foa2lHOXcwQkFRc0ZBREIrTVFzd0NRWURWUVFHRXdKVlV6RVRNQkVHQTFVRUNCTUtWMkZ6YUdsdVozUnZiakVRTUE0R0ExVUVCeE1IVW1Wa2JXOXVaREVlTUJ3R0ExVUVDaE1WVFdsamNtOXpiMlowSUVOdmNuQnZjbUYwYVc5dU1TZ3dKZ1lEVlFRREV4OU5hV055YjNOdlpuUWdVMlZqZFhKbElGTmxjblpsY2lCRFFTQXlNREV4TUI0WERUSXhNRGN3TVRFNU1UUTBPRm9YRFRJeU1EY3dNVEU1TVRRME9Gb3dIakVjTUJvR0ExVUVBeE1UVTJWMmFXeHNaUzVYYVc1a2IzZHpMbU52YlRDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTndRcW1Rbmg4elBBV3NJcVQ5dzhmTy9pc25MaklxN3hHcVNCR0pkODVHWlJDMlBTL2hISkV0eExoS2JsekJpUHd1OU1BRWtEeDZ5cCt1RHBmMWhNa0lZRG80N0QvUjY3ZnZBY1EwVEo4MlRkQnM4YnlZQnNJc3l1bGYxNlR3NlFNeVpzc2FEZDdXOXdGYzFwVG1CNjBCNnlieDlCVmNHeEhlNUhNek5mbVdwY0MvK2psOURacEpUQUpQalBHbXc0SkJlMnVUa3gvTTNrZm9oV2pENnZUekxDRHRGR1UrWXZLOW4vVGt5OEFZeTdpT2ZsZmY0SHNxclFmc2p2TFBCNEVxZjVESDZkZCtPcGZTY3BtcFdxMjNHVFZ3WU1MSVZ0a2dHM3B6V1M2R3QxZjd3eEZqcFYwcUZLaXgvUk9RK1FxY3NYaXN5bU1kTEVQMDdtaFlwZVZFQ0F3RUFBYU9DQVZnd2dnRlVNQTRHQTFVZER3RUIvd1FFQXdJRklEQWRCZ05WSFNVRUZqQVVCZ2dyQmdFRkJRY0RBUVlJS3dZQkJRVUhBd0l3REFZRFZSMFRBUUgvQkFJd0FEQWVCZ05WSFJFRUZ6QVZnaE5UWlhacGJHeGxMbGRwYm1SdmQzTXVZMjl0TUIwR0ExVWREZ1FXQkJSaVNyM1lTWjI5VUg3Z2lYNm9FS3FPVW5mODVqQWZCZ05WSFNNRUdEQVdnQlEyVm9sbFNjdGJteTg4ckVJV1VFMlJ1VFBYa1RCVEJnTlZIUjhFVERCS01FaWdScUJFaGtKb2RIUndPaTh2ZDNkM0xtMXBZM0p2YzI5bWRDNWpiMjB2Y0d0cGIzQnpMMk55YkM5TmFXTlRaV05UWlhKRFFUSXdNVEZmTWpBeE1TMHhNQzB4T0M1amNtd3dZQVlJS3dZQkJRVUhBUUVFVkRCU01GQUdDQ3NHQVFVRkJ6QUNoa1JvZEhSd09pOHZkM2QzTG0xcFkzSnZjMjltZEM1amIyMHZjR3RwYjNCekwyTmxjblJ6TDAxcFkxTmxZMU5sY2tOQk1qQXhNVjh5TURFeExURXdMVEU0TG1OeWREQU5CZ2txaGtpRzl3MEJBUXNGQUFPQ0FnRUFOc2VSQXNyZC8zTEJLR0FSOVBPNFFHOXFYTXJZY3NQTW1BcnVaR1dlMmhMQlZkajVWcTVSYURzK1BVaXNTMDhKZjVra1FCTFJpd3gwNjFhNFU5WXJvYk5WZFAvRlVqd3E4VUpTSHhXVnIzZXJWU2F6T3FDWStaT1lSUWdCSkJ0emk0bmhLVi9MMCtHOHV4ai9yMnlpSEJ1UWVXSEkvZWVYT2QrL2J3LzNCa2RVVGdFTnJydG00ZlhhbnVIeWFTSGovcStnNGVhL2Nxck91RCtpSWIrZ2FLTS81ZThwV0owTWNGM2RZd1V2QmNIMEZmeEtqZWdLcnNDQlUrWStCbUVpcjhORUhYTjdaVVZHeDFCaVc1RE9CamdqQ3FZbzV1eEU0Ynp0TW1pamI1Y3VIM0diUVhQbWZHbTdHS0JOK1M3enlBK3FLNHhhblM0Y0NxYVZ2WnBJWVhvUHk0Q1RHWHljdHlBRkxEVHlia2N4dVhVMlVxRCtrNDNVa3JUcGd2WmZ6QXUwWGVXa2NtTmZIc3VKT3ArWUEzQnhxMURVQXRkdk53RStvUTBMUWhqdnFoekU5K25UeWtYRlFxNW1WWmxYWU0zRy9ZM2xHeXhETXFmeUVBRm5UK25ZTGJSaG5rTjZOaWRoZmU5TUtSTlN1MmpLemZrbVlvSUdJYVdXL2JkN1duQ0RkNzVEaElnc0NXOUxIQWlrYVQyamIrSmlQOVIxZ3JzWTNrZjk4ZzlLTzJnSVFLTnlpZmlWWXJaUW4wMndYVmZyRWgyUWVsdm9tNGxCRVJyVTNCL1c1bW1waDRVRjNYM2lVNWxDdjU1T2NvSFUyRlk0RXVzblFveEFtQk1SejZ5eHhIWnFWdWM4SVczRzhqeHVOdTBIYUI5dloraU1Fa2Q5c0VJZk1wQT0iLCJjaGFpbiI6WyJNSUlHMkRDQ0JNQ2dBd0lCQWdJS1lUKzNHQUFBQUFBQUJEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmlERUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdUQ2xkaGMyaHBibWQwYjI0eEVEQU9CZ05WQkFjVEIxSmxaRzF2Ym1ReEhqQWNCZ05WQkFvVEZVMXBZM0p2YzI5bWRDQkRiM0p3YjNKaGRHbHZiakV5TURBR0ExVUVBeE1wVFdsamNtOXpiMlowSUZKdmIzUWdRMlZ5ZEdsbWFXTmhkR1VnUVhWMGFHOXlhWFI1SURJd01URXdIaGNOTVRFeE1ERTRNakkxTlRFNVdoY05Nall4TURFNE1qTXdOVEU1V2pCK01Rc3dDUVlEVlFRR0V3SlZVekVUTUJFR0ExVUVDQk1LVjJGemFHbHVaM1J2YmpFUU1BNEdBMVVFQnhNSFVtVmtiVzl1WkRFZU1Cd0dBMVVFQ2hNVlRXbGpjbTl6YjJaMElFTnZjbkJ2Y21GMGFXOXVNU2d3SmdZRFZRUURFeDlOYVdOeWIzTnZablFnVTJWamRYSmxJRk5sY25abGNpQkRRU0F5TURFeE1JSUNJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQ0NnS0NBZ0VBMEF2QXBLZ1pnZUkyNWVLcTVmT3lGVmgxdnJUbFNmSGdoUG03RFdUdmhjR0JWYmp6NS9GdFFGVTl6b3RxMFlTVDlYVjhXNlRVZEJES012TWowNjd1ejU0RVdNTFpSOHZSZkFCQlNIRWJBV2NYR0svRy9uTURmdVR2UTV6dkFYRXFINEVtUTNlWVZGZHpuVlVyOEo2T2ZRWU9yQnRVOHliMytDTUlJb3VlQmgwM09QMXkwc3JsWThHYVduMnliYk5TcVc3cHJyWDhpemI1bnZyMkhGZ2JsMWFsRWVXM1V0dTc2ZkJVdjdUL0xHeTRYU2JPb0FyWDM1UHRmOTJzOFN4ekd0a1pOMVc2M1NKNGpxSFVtd240QnlJeGNiQ1VydUN3NXlaRVY1Q0JseFhPWWV4bDRrdnhoVklXTXZpMWVLcCt6VTNzZ3lHa3FKdSttbW9FNEtNY3pWWVliUDFyTDBJKzRqZnljcXZRZUhOeWU5N3NBRmpsSVRDakNEcVo3NS9EOTNvV2xtVzF3NEd2OURsd1NhLzJxZlpxQURqNXRBZ1o0Qm8xcFZaMklsOXE4bW11UHExWVJrMjRWUGFKUVVRZWNyRzhFaWRUMHNIL3NzMVFtQjYxOUx1MndvSTUyYXdiOGpzbmhHcXd4aVlMMXpvUTU3UGJmTk5XckZOTUMvbzdNVGQwMkZrcitRQjVHUVo3L1J3ZFF0UkJEUzhGRHRWclNTUC96ODM0ZW9MUDJqd3QzK2pZRWdRWXVoNklkN2lZSHhBSHU4Z0ZmZ3NKdjJ2ZDQwNWJzUG5IaEtZN3lreWZXMklwOThlaXFKV0ljQ3psd1Q4OFVpTlBRSnJETVlXREw3OHA4UjFRanlHV0I4N3Y4b0RDUkgyYll1OHZ3M2VKcTBWTlV6NENlZE1DQXdFQUFhT0NBVXN3Z2dGSE1CQUdDU3NHQVFRQmdqY1ZBUVFEQWdFQU1CMEdBMVVkRGdRV0JCUTJWb2xsU2N0Ym15ODhyRUlXVUUyUnVUUFhrVEFaQmdrckJnRUVBWUkzRkFJRURCNEtBRk1BZFFCaUFFTUFRVEFMQmdOVkhROEVCQU1DQVlZd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZkJnTlZIU01FR0RBV2dCUnlMVG9DTVpCRHVSUUZUdUhxcDhjeDBTT0pOREJhQmdOVkhSOEVVekJSTUUrZ1RhQkxoa2xvZEhSd09pOHZZM0pzTG0xcFkzSnZjMjltZEM1amIyMHZjR3RwTDJOeWJDOXdjbTlrZFdOMGN5OU5hV05TYjI5RFpYSkJkWFF5TURFeFh6SXdNVEZmTUROZk1qSXVZM0pzTUY0R0NDc0dBUVVGQndFQkJGSXdVREJPQmdnckJnRUZCUWN3QW9aQ2FIUjBjRG92TDNkM2R5NXRhV055YjNOdlpuUXVZMjl0TDNCcmFTOWpaWEowY3k5TmFXTlNiMjlEWlhKQmRYUXlNREV4WHpJd01URmZNRE5mTWpJdVkzSjBNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUNBUUJCeUdIQjlWdWVQcEV4OGJER3Z3a0J0SjIya0hUWENkdW1MZzJmeU9kMk5FYXZCMkNKVElHelBOWDBFalYxd25PbDlVMkVqTXVrWGErL2t2WVhDRmRDbFhKbEJYWjVyZTdSdXJndVZLTlJCNnhvNnlFTTR5V0J3czBxOHNQL3o4SzlTUmlheC9DRXhma1V2R3VWNVpidnMwTFNVOVZLb0JMRXJoSjJVd2xXRHAzMzA2WkppRkR5aWl5WElLSytUbmp2QldXM1M2RVdpTjR4eHdoQ0pIeWtlNTZkdkdBQVhtS1g0NVA4cC81YmV5WGY1Rk4vUzc3bVB2RGJBWGxDSEc2RmJIMjJSREQ3cFRlU2s3S2w3aUN0UDFQVnlmUW9hMWZCK0IxcXQxWXF0aWVCSEtZdG4rZjAwREdEbDZncXRxeStHMEgxNUlsZlZ2dmFXdE5lZlZXVUVINVRWL1JLUFVBcXlMMW5uNFRoRU83OTJtc1Zna244UmgzL1JRWjBuRUlVN2NVNTA3UE5DNE1ua0VOUmt2SkVncTV1bWhVWHNobjZ4MFZzbUFGN3Z6ZXBzSWlra3J3NE9PQWQ1SHlYbUJvdVgrODRaYmMxTDcxL1R5SDZ4SXpTYndiNVNUWHEzeUFQSmFycVlLc3NIMHVKL0xmNlhGU1FTejZpS0U5czVGSmx3ZjJRSElXQ2lHN3BwbFhkSVNoNVJiQVU1UXJNNWwvRXU5dGhOR21mckNZNDk4RXBRUWdWTGt5Zzkva01QdDVmcXdnSkxZT3NyRFNEWXZUSlNVS0pKYlZ1c2tmRnN6bWdzU0FiTExHT0JHK2xNRWtjMEVicFFGdjByVzY2MjRKS2h4SktnQWxOMjk5MnVRVmJHK0M3SUhCZkFDWEgwdzc2RnExN0lwNXhDQT09IiwiTUlJRjdUQ0NBOVdnQXdJQkFnSVFQNHZJdGZ5ZnNwWkR0V25XYkVMaFJEQU5CZ2txaGtpRzl3MEJBUXNGQURDQmlERUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdUQ2xkaGMyaHBibWQwYjI0eEVEQU9CZ05WQkFjVEIxSmxaRzF2Ym1ReEhqQWNCZ05WQkFvVEZVMXBZM0p2YzI5bWRDQkRiM0p3YjNKaGRHbHZiakV5TURBR0ExVUVBeE1wVFdsamNtOXpiMlowSUZKdmIzUWdRMlZ5ZEdsbWFXTmhkR1VnUVhWMGFHOXlhWFI1SURJd01URXdIaGNOTVRFd016SXlNakl3TlRJNFdoY05Nell3TXpJeU1qSXhNekEwV2pDQmlERUxNQWtHQTFVRUJoTUNWVk14RXpBUkJnTlZCQWdUQ2xkaGMyaHBibWQwYjI0eEVEQU9CZ05WQkFjVEIxSmxaRzF2Ym1ReEhqQWNCZ05WQkFvVEZVMXBZM0p2YzI5bWRDQkRiM0p3YjNKaGRHbHZiakV5TURBR0ExVUVBeE1wVFdsamNtOXpiMlowSUZKdmIzUWdRMlZ5ZEdsbWFXTmhkR1VnUVhWMGFHOXlhWFI1SURJd01URXdnZ0lpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElDRHdBd2dnSUtBb0lDQVFDeWdFR3FOVGhORTNJeWFDSk51TEx4LzlWU3ZHekg5ZEpLakRidTBjSmNmb3lLcnE4VEtHL0FjK002enRBbHFGbzZiZStvdUZtckV5Tm96UXdwaDlGdmdGeVBSSDlka0FGU1dLeFJ4VjhxaDl6YzJBb2R3UU81ZTdCVzZLUGVaR0hDbnZqemZMbnNEYlZVL2t5MlpVK0k4SnhJbVF4Q0N3bDhNVmtYZVFaNEtJMkpPa3dESmI1eGFsd0w1NFJncEpraTQ5S3ZoS1NuKzlHWTdReXAzcFNKNFE2ZzNNRE9tVDNxQ0ZLN1ZubmtINFM2SHJpMHhFbGNUekZMaDkzZEJXY21tWURnY1JHanVLVkI0cVJUdWZjeUtZTU1FNzgyWGdTelMwTkhMMnZpa1I3VG1FL2RRZ2ZJNkIwUy9KbXBhejZTZnNqV2FUcjhaTDIyQ1ozSy9Rd0xvcHQzWUVzRGxLUXdhUkxXUWkzQlFVekszS3I5ajF1RFJwclovTEhSNDdQSmYwaDZ6U1R3UVk5Y2ROQ3NzQkFnQmttM3h5MGh5RmZqMEliekEyajcwTTV4d1ltWlNtUUJiUDNzTUpIUFFUeVN4K1c2aGgxaGhNZGZnemxpcnJTU0wwZnpDL2hWNjZBZldkQzdkSnNlMEhibTh1a0cxeERvK21UZWFjWTFsb2dDOEVhNFB5ZVpiOHR4aVNrMTkwZ1dBaldQMVhsOFRRTFBYK3VLZzA5RmNZajVxUTFPY3VuQ25BZlBTUnRPQkE1alVZeGUyQURCVlN5Mnh1RENaVTdKTkRuMW5MUEVmdWhoYmhOZkZjUmYyWDd0SGM3dVJPekxMb2F4N0RqMmNPMnJYQlBCMlE4Tng0Q3lWZTAwOTZ5YjVNUGE1MGM4cHJXUE1kL0ZTNi9yOFFJREFRQUJvMUV3VHpBTEJnTlZIUThFQkFNQ0FZWXdEd1lEVlIwVEFRSC9CQVV3QXdFQi96QWRCZ05WSFE0RUZnUVVjaTA2QWpHUVE3a1VCVTdoNnFmSE1kRWppVFF3RUFZSkt3WUJCQUdDTnhVQkJBTUNBUUF3RFFZSktvWklodmNOQVFFTEJRQURnZ0lCQUg5eXp3KzN4UlhibThCSnlpWmIvcDRUNXRQdzB0dVhYL0pMUDAyenJobXU3ZGVYb0t6dnFUcWp3a0d3NWJpUm5oT0JKQVBtQ2YwL1YwQTVJU1JXMFJBdlMwQ3BOb1pMdEZOWG12dnhmb21QRWY0WWJGR3E2TzBKbGJYbGNjbWg2WWQxcGhWL3lYNDNWRjUwazhYRFo4d05UMnVvRnd4dENKSitpOTJCcWkxd0ljTTlCaFM3dnlSZXA0VFhQdzhoSXIxTEFBYmJseHpZWHRURkMxeUhibENrNk1NNHBQdkxMTVdTWnB1RlhzdDZiSk44Z0NsWVcxZTFRR202Q0htbVpHSVZuWWVXUmJWbUl5QURpeHh6b05PaWVUUGdVRm1HMnkvbEFpWHFjeXFmQUJUSU5zZVNPK2xPQU96WVZnbTVNMGtTMGxRTEFhdXNSN2FSS1gxTXRIV0FVZ0hveW9MMm44eXNuSThYNmk4bXNLdHlyQXYrbmxFZXgwTlZaMDlSczFmV3R1enVVcmM2NlU3aDE0R0l2RStPZGJ0THFQQTFxaWJVWjJkSnNuQk1PNVBjSGQ5NGtJWnlzamlrMGR5U1RjbFk2eXNTWE5RN3JveHJzSVBsQVQvNENUTDJrelUwSXEvZE53MTNDWUFyelVnQThZeVpHVWNGQWVuUnY5Rk8wT1lvUXplWnBBcEtDTm1hY1hQU3FzMHhFMk4yb1RkdmtqZ2VmUkk4WmpMbnkyM2gvRktKM2NyV1pnV2FsbUcrb2lqSEhLT25ObEE4T3FUZlNtN21oenZPNi9EZ2dUZWRFenhTanIyNUhUVEdIZFVLYWoyWUtYQ01pU3JScTRJUVNCL2M5TytseGJ0VkdqaGpoRTYzYksyVlZPeGxJaEJKRjdqQUhzY1ByRlJIIl19PC9zdHJpbmc+CiAgICAgICAgICAgIDwvZGljdD4KICAgICAgICA8L2FycmF5PgogICAgPC9kaWN0Pgo8L3BsaXN0Pgo= |
| deploymentChannel | deviceChannel |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| Apple Business | 1 | Static | (device.deviceOSType -contains “macOS”) or (device.deviceOSType -contains “OS X”) or (device.deviceModel -contains “MacBook Air”) or (device.deviceModel -contains “MacBook Pro”) | apply | direct | Include |
XenFi Wifi
WiFi settings for the SLC office.
| Property | Value |
| @odata.type | #microsoft.graph.windowsWifiConfiguration |
| id | ace48d61-3a43-4ce6-99fe-26d402cb79b9 |
| lastModifiedDateTime | 07/21/2022 22:04:56 |
| roleScopeTagIds | 0 |
| supportsScopeTags | True |
| deviceManagementApplicabilityRuleOsEdition | |
| deviceManagementApplicabilityRuleOsVersion | |
| deviceManagementApplicabilityRuleDeviceMode | |
| createdDateTime | 11/05/2021 20:34:22 |
| description | WiFi settings for the SLC office. |
| displayName | XenFi Wifi |
| version | 4 |
| preSharedKey | |
| wifiSecurityType | wpa2Personal |
| meteredConnectionLimit | unrestricted |
| ssid | XenFi |
| networkName | XenFi |
| connectAutomatically | True |
| connectToPreferredNetwork | |
| connectWhenNetworkNameIsHidden | |
| proxySetting | none |
| proxyManualAddress | |
| proxyManualPort | |
| proxyAutomaticConfigurationUrl | |
| forceFIPSCompliance | True |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Users | - | BuilIn | - | apply | direct | Include |
XenFi WiFi
| Property | Value |
| @odata.type | #microsoft.graph.macOSWiFiConfiguration |
| id | c459745f-cbbf-4aac-bd08-b7ae4d6f2b64 |
| lastModifiedDateTime | 07/21/2022 21:28:40 |
| roleScopeTagIds | 0 |
| supportsScopeTags | True |
| deviceManagementApplicabilityRuleOsEdition | |
| deviceManagementApplicabilityRuleOsVersion | |
| deviceManagementApplicabilityRuleDeviceMode | |
| createdDateTime | 03/25/2022 17:18:04 |
| description | |
| displayName | XenFi WiFi |
| version | 5 |
| networkName | 94490a93-da69-43b9-8e82-91cfcf020a4a |
| ssid | XenFi |
| connectAutomatically | True |
| connectWhenNetworkNameIsHidden | |
| wiFiSecurityType | wpaPersonal |
| proxySettings | none |
| proxyManualAddress | |
| proxyManualPort | |
| proxyAutomaticConfigurationUrl | |
| deploymentChannel | |
| preSharedKey |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| Apple Business | 1 | Static | (device.deviceOSType -contains “macOS”) or (device.deviceOSType -contains “OS X”) or (device.deviceModel -contains “MacBook Air”) or (device.deviceModel -contains “MacBook Pro”) | apply | direct | Include |
Enrollment Configuration
This section contains all Enrollment configurations in Intune.
Enrollment Limit - All users and all devices
This is the default Device Limit Restriction applied with the lowest priority to all users regardless of group membership.
All users and all devices
| Property | Value |
| @odata.type | #microsoft.graph.deviceEnrollmentLimitConfiguration |
| id | aeaba85a-84ce-4deb-b0fd-e22de311a7a7_DefaultLimit |
| displayName | All users and all devices |
| description | This is the default Device Limit Restriction applied with the lowest priority to all users regardless of group membership. |
| priority | |
| createdDateTime | 01/01/0001 00:00:00 |
| lastModifiedDateTime | 06/19/2024 21:08:37 |
| version | |
| roleScopeTagIds | |
| deviceEnrollmentConfigurationType | limit |
| limit | 6 |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Platform Restrictions - All users and all devices
This is the default Device Type Restriction applied with the lowest priority to all users regardless of group membership.
All users and all devices
| Property | Value |
| @odata.type | #microsoft.graph.deviceEnrollmentPlatformRestrictionsConfiguration |
| id | aeaba85a-84ce-4deb-b0fd-e22de311a7a7_DefaultPlatformRestrictions |
| displayName | All users and all devices |
| description | This is the default Device Type Restriction applied with the lowest priority to all users regardless of group membership. |
| priority | |
| createdDateTime | 01/01/0001 00:00:00 |
| lastModifiedDateTime | 06/19/2024 21:08:37 |
| version | |
| roleScopeTagIds | |
| deviceEnrollmentConfigurationType | platformRestrictions |
| visionOSRestriction | |
| tvosRestriction | |
| iosRestriction | @{platformBlocked=False; personalDeviceEnrollmentBlocked=False; osMinimumVersion=; osMaximumVersion=; blockedManufacturers=System.Object[]; blockedSkus=System.Object[]} |
| windowsRestriction | @{platformBlocked=False; personalDeviceEnrollmentBlocked=False; osMinimumVersion=; osMaximumVersion=; blockedManufacturers=System.Object[]; blockedSkus=System.Object[]} |
| windowsHomeSkuRestriction | @{platformBlocked=False; personalDeviceEnrollmentBlocked=False; osMinimumVersion=; osMaximumVersion=; blockedManufacturers=System.Object[]; blockedSkus=System.Object[]} |
| windowsMobileRestriction | @{platformBlocked=True; personalDeviceEnrollmentBlocked=False; osMinimumVersion=; osMaximumVersion=; blockedManufacturers=System.Object[]; blockedSkus=System.Object[]} |
| androidRestriction | @{platformBlocked=False; personalDeviceEnrollmentBlocked=False; osMinimumVersion=; osMaximumVersion=; blockedManufacturers=System.Object[]; blockedSkus=System.Object[]} |
| androidForWorkRestriction | @{platformBlocked=False; personalDeviceEnrollmentBlocked=False; osMinimumVersion=; osMaximumVersion=; blockedManufacturers=System.Object[]; blockedSkus=System.Object[]} |
| macRestriction | @{platformBlocked=False; personalDeviceEnrollmentBlocked=False; osMinimumVersion=; osMaximumVersion=; blockedManufacturers=System.Object[]; blockedSkus=System.Object[]} |
| macOSRestriction | @{platformBlocked=False; personalDeviceEnrollmentBlocked=False; osMinimumVersion=; osMaximumVersion=; blockedManufacturers=System.Object[]; blockedSkus=System.Object[]} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
Windows Hello for Business - All users and all devices
This is the default Windows Hello for Business configuration applied with the lowest priority to all users regardless of group membership.
All users and all devices
| Property | Value |
| @odata.type | #microsoft.graph.deviceEnrollmentWindowsHelloForBusinessConfiguration |
| id | aeaba85a-84ce-4deb-b0fd-e22de311a7a7_DefaultWindowsHelloForBusiness |
| displayName | All users and all devices |
| description | This is the default Windows Hello for Business configuration applied with the lowest priority to all users regardless of group membership. |
| priority | |
| createdDateTime | 01/01/0001 00:00:00 |
| lastModifiedDateTime | 06/19/2024 21:08:37 |
| version | |
| roleScopeTagIds | |
| deviceEnrollmentConfigurationType | windowsHelloForBusiness |
| pinMinimumLength | 6 |
| pinMaximumLength | 127 |
| pinUppercaseCharactersUsage | allowed |
| pinLowercaseCharactersUsage | allowed |
| pinSpecialCharactersUsage | allowed |
| state | enabled |
| securityDeviceRequired | |
| unlockWithBiometricsEnabled | True |
| remotePassportEnabled | True |
| pinPreviousBlockCount | 5 |
| pinExpirationInDays | |
| enhancedBiometricsState | enabled |
| securityKeyForSignIn | enabled |
| enhancedSignInSecurity |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
ESP - All users and all devices
This is the default enrollment status screen configuration applied with the lowest priority to all users and all devices regardless of group membership.
All users and all devices
| Property | Value |
| @odata.type | #microsoft.graph.windows10EnrollmentCompletionPageConfiguration |
| id | aeaba85a-84ce-4deb-b0fd-e22de311a7a7_DefaultWindows10EnrollmentCompletionPageConfiguration |
| displayName | All users and all devices |
| description | This is the default enrollment status screen configuration applied with the lowest priority to all users and all devices regardless of group membership. |
| priority | |
| createdDateTime | 01/01/0001 00:00:00 |
| lastModifiedDateTime | 06/19/2024 21:08:37 |
| version | |
| roleScopeTagIds | |
| deviceEnrollmentConfigurationType | windows10EnrollmentCompletionPageConfiguration |
| showInstallationProgress | |
| blockDeviceSetupRetryByUser | True |
| allowDeviceResetOnInstallFailure | |
| allowLogCollectionOnInstallFailure | |
| customErrorMessage | |
| installProgressTimeoutInMinutes | |
| allowDeviceUseOnInstallFailure | |
| selectedMobileAppIds | |
| allowNonBlockingAppInstallation | |
| installQualityUpdates | |
| trackInstallProgressForAutopilotOnly | |
| disableUserStatusTrackingAfterFirstUser |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Devices | - | BuilIn | - | - | direct | Include |
ESP - Basics
Basics
| Property | Value |
| @odata.type | #microsoft.graph.windows10EnrollmentCompletionPageConfiguration |
| id | 9f9dc144-f24f-451b-a1fd-8893946fa431_Windows10EnrollmentCompletionPageConfiguration |
| displayName | Basics |
| description | |
| priority | 1 |
| createdDateTime | 06/13/2023 21:55:48 |
| lastModifiedDateTime | 06/15/2023 18:36:22 |
| version | 4 |
| roleScopeTagIds | 0 |
| deviceEnrollmentConfigurationType | windows10EnrollmentCompletionPageConfiguration |
| showInstallationProgress | True |
| blockDeviceSetupRetryByUser | |
| allowDeviceResetOnInstallFailure | True |
| allowLogCollectionOnInstallFailure | True |
| customErrorMessage | Setup could not be completed. Please try again or contact your support person for help. |
| installProgressTimeoutInMinutes | 60 |
| allowDeviceUseOnInstallFailure | True |
| selectedMobileAppIds | |
| allowNonBlockingAppInstallation | |
| installQualityUpdates | |
| trackInstallProgressForAutopilotOnly | True |
| disableUserStatusTrackingAfterFirstUser | True |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| Autopilot | 1 | DynamicDevice | (device.devicePhysicalIDs -any (_ -contains “[ZTDID]”)) | - | direct | Include |
Device Management Partners
This section contains all device management partners defined in Intune.
Jamf
| Property | Value |
| id | 007d2fff-e0dd-4b28-8595-cec005efe5cd |
| lastHeartbeatDateTime | 01/01/0001 00:00:00 |
| partnerState | unknown |
| partnerAppType | singleTenantApp |
| singleTenantAppId | |
| displayName | Jamf |
| isConfigured | |
| whenPartnerDevicesWillBeRemovedDateTime | |
| whenPartnerDevicesWillBeMarkedAsNonCompliantDateTime | |
| groupsRequiringPartnerEnrollment |
PowerShell Scripts
This section contains a list of all PowerShell scripts available in Intune.
Disable Fastboot
Some lab software requires fastboot to be disabled; such as NI MAX.
| Property | Value |
| id | 0f2e88d4-cfce-40f4-9d83-7e68493c3c23 |
| displayName | Disable Fastboot |
| description | Some lab software requires fastboot to be disabled; such as NI MAX. |
| enforceSignatureCheck | |
| runAs32Bit | |
| runAsAccount | system |
| fileName | disable-fastboot.ps1 |
| scriptContent | Path = “HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\Power” $Name = “HiberbootEnabled” $Type = “DWORD” $Value = 1 Try { $Registry = Get-ItemProperty -Path $Path -Name $Name -ErrorAction Stop |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| Lab Computers | 1 | DynamicDevice | (device.displayName -startsWith “lab-”) | - | Include |
Patch CVE-2022-30190
https://github.com/XenterMD/CVE-Patching/blob/main/2022/cve-2022-30190.ps1
| Property | Value |
| id | 1570d01f-89a4-41d1-8bf6-d7ca844d1b17 |
| displayName | Patch CVE-2022-30190 |
| description | https://github.com/XenterMD/CVE-Patching/blob/main/2022/cve-2022-30190.ps1 |
| enforceSignatureCheck | |
| runAs32Bit | True |
| runAsAccount | system |
| fileName | cve-2022-30190.ps1 |
| scriptContent | <# Source: https://msrc-blog.microsoft.com/2022/05/30/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/ On Monday May 30, 2022, Microsoft issued CVE-2022-30190 regarding the Microsoft Support Diagnostic Tool (MSDT) in Windows vulnerability. A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. Workaround: To disable the MSDT URL Protocol Disabling MSDT URL protocol prevents troubleshooters being launched as links including links throughout the operating system. Troubleshooters can still be accessed using the Get Help application and in system settings as other or additional troubleshooters. Follow these steps to disable: 1. Run Command Prompt as Administrator. 2. To back up the registry key, execute the command “reg export HKEY_CLASSES_ROOT\ms-msdt filename“ 3. Execute the command “reg delete HKEY_CLASSES_ROOT\ms-msdt /f”. How to undo the workaround 1. Run Command Prompt as Administrator. 2. To back up the registry key, execute the command “reg import filename” Microsoft Defender Detections & Protections Customers with Microsoft Defender Antivirus should turn-on cloud-delivered protection and automatic sample submission. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats. Customers of Microsoft Defender for Endpoint can enable attack surface reduction rule “BlockOfficeCreateProcessRule” that blocks Office apps from creating child processes. Creating malicious child processes is a common malware strategy. For more information see Attack surface reduction rules overview. Microsoft Defender Antivirus provides detections and protections for possible vulnerability exploitation under the following signatures using detection build 1.367.719.0 or newer: - Trojan:Win32/Mesdetty.A (blocks msdt command line) - Trojan:Win32/Mesdetty.B (blocks msdt command line) - Behavior:Win32/MesdettyLaunch.A!blk (terminates the process that launched msdt command line) Microsoft Defender for Endpoint provides customers detections and alerts. The following alert title in the Microsoft 365 Defender portal can indicate threat activity on your network: - Suspicious behavior by an Office application - Suspicious behavior by Msdt.exe #> # Define registry key $regkey = “HKEY_CLASSES_ROOT\ms-msdt” # Define backup location \(bak = "C:\\registry\_ms-msdt.reg.bak" \# If regkey exists if (Test-Path -Path registry::\)regkey) { Write-Host -ForegroundColor Red “Vulnerability detected: CVE-2022-30190. Beginning remediation…” # Backup registry key reg export $regkey $bak /y |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| Windows | 1 | DynamicDevice | (device.deviceOSType -eq “Windows”) | - | Include |
Enable WSL
| Property | Value |
| id | 7e9a029a-7b70-4473-b044-747dc02425dc |
| displayName | Enable WSL |
| description | |
| enforceSignatureCheck | |
| runAs32Bit | |
| runAsAccount | system |
| fileName | Enable-Wsl.ps1 |
| scriptContent | nable-WindowsOptionalFeature -Online -FeatureName “Microsoft-Windows-Subsystem-Linux” -All -NoRestart |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Users | 1 | DynamicUser | (user.userType -eq “Member”) | - | Include |
Update Python for LabPC
Update to add new python pacakges to lab computers.
| Property | Value |
| id | 974d28dc-2dc6-47d4-a27c-25c8aa5de855 |
| displayName | Update Python for LabPC |
| description | Update to add new python pacakges to lab computers. |
| enforceSignatureCheck | |
| runAs32Bit | |
| runAsAccount | system |
| fileName | pythonupdate.ps1 |
| scriptContent | # This script is used to configure a lab PC for use. The following steps are taken: 1. Install Pip Packages 2. Add Python to system PATH #> $pythonPath=‘C:\Users\LabUser\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.8_qbz5n2kfra8p0’ $PathArray = $Env:PSModulePath.Split(“;”) # Install pip packages using pip from \(pythonPath & "\)pythonPath\pip.exe” install pyvisa pyusb zeroconf numpy matplotlib pdfkit qrcode pandas tkcalendar # Add Python to path if($PathArray -notcontains \(pythonPath) { \[Environment\]::SetEnvironmentVariable( "Path", \[Environment\]::GetEnvironmentVariable("Path", \[EnvironmentVariableTarget\]::Machine) + ";\)pythonPath”, [EnvironmentVariableTarget]::Machine) write-host “Added Python to System Path” } # Reload PATH $env:Path = [System.Environment]::GetEnvironmentVariable(“Path”,“Machine”) + “;” + [System.Environment]::GetEnvironmentVariable(“Path”,“User”) |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| Lab Computers | 1 | DynamicDevice | (device.displayName -startsWith “lab-”) | - | Include |
Disable WSL
| Property | Value |
| id | a5da6193-1070-4fa9-a6f9-ce43b7c4e53e |
| displayName | Disable WSL |
| description | |
| enforceSignatureCheck | |
| runAs32Bit | |
| runAsAccount | system |
| fileName | Disable-Wsl.ps1 |
| scriptContent | isable-WindowsOptionalFeature -Online -FeatureName “Microsoft-Windows-Subsystem-Linux” -NoRestart |
lab-pc-configuration
This script is used to configure a lab PC for use. The following steps are taken:
1. Install Pip Packages
2. Add nipkg, python, libusb to system PATH
3. Set computers to never sleep
4. Install NI Packages
| Property | Value |
| id | c4f64c6f-7105-4f2e-b913-fbfb5591b053 |
| displayName | lab-pc-configuration |
| description | This script is used to configure a lab PC for use. The following steps are taken: 1. Install Pip Packages 2. Add nipkg, python, libusb to system PATH 3. Set computers to never sleep 4. Install NI Packages |
| enforceSignatureCheck | |
| runAs32Bit | |
| runAsAccount | system |
| fileName | lab-pc-configuration.ps1 |
| scriptContent | # This script is used to configure a lab PC for use. The following steps are taken: 1. Install Pip Packages 2. Add nipkg, python, libusb to system PATH 3. Install NI Packages 4. Set computers to never sleep #> $pythonPath=‘C:\Users\LabUser\AppData\Local\Microsoft\WindowsApps\PythonSoftwareFoundation.Python.3.8_qbz5n2kfra8p0’ $libusbPath=‘C:\Users\LabUser\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.8_qbz5n2kfra8p0\LocalCache\local-packages\Python38\site-packages\libusb\_platform\_windows\x64’ $nipkgPath=‘C:\Program Files\National Instruments\NI Package Manager’ $PathArray = \(Env:PSModulePath.Split(";") \#\)envPath=[Environment]::GetEnvironmentVariable(“Path”) # Install pip packages using pip from \(pythonPath & "\)pythonPath\pip.exe” install pyvisa libusb pyusb zeroconf numpy matplotlib pdfkit qrcode pandas # Add programs to path if($PathArray -notcontains \(pythonPath) { \[Environment\]::SetEnvironmentVariable( "Path", \[Environment\]::GetEnvironmentVariable("Path", \[EnvironmentVariableTarget\]::Machine) + ";\)pythonPath”, [EnvironmentVariableTarget]::Machine) write-host “Added Python to System Path” } if($PathArray -notcontains \(libusbPath) { \[Environment\]::SetEnvironmentVariable( "Path", \[Environment\]::GetEnvironmentVariable("Path", \[EnvironmentVariableTarget\]::Machine) + ";\)libusbPath”, [EnvironmentVariableTarget]::Machine) write-host “Added LibUSB to System Path” } if($PathArray -notcontains \(nipkgPath) { \[Environment\]::SetEnvironmentVariable( "Path", \[Environment\]::GetEnvironmentVariable("Path", \[EnvironmentVariableTarget\]::Machine) + ";\)nipkgPath”, [EnvironmentVariableTarget]::Machine) write-host “Added nipkg to System Path” } # Reload PATH $env:Path = [System.Environment]::GetEnvironmentVariable(“Path”,“Machine”) + “;” + [System.Environment]::GetEnvironmentVariable(“Path”,“User”) # Configure computer to never sleep (set to 0 to never sleep) powercfg -change -standby-timeout-ac 0 # Install NI Packages nipkg.exe install –accept-eulas ni-system-configuration ni-visa ni-hwcfg-utility ni-max ni-syscfg-dotnet-runtime ni-syscfg-cvi-support ni-usblandevice ni-web-based-configuration |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| Lab Computers | 1 | DynamicDevice | (device.displayName -startsWith “lab-”) | - | Include |
Disable Application Guard
Disable application guard because it has been depreceated by Microsoft
| Property | Value |
| id | c547194e-2180-4764-bb7f-11911ebefded |
| displayName | Disable Application Guard |
| description | Disable application guard because it has been depreceated by Microsoft |
| enforceSignatureCheck | |
| runAs32Bit | |
| runAsAccount | system |
| fileName | disable application guard.ps1 |
| scriptContent | Set execution policy for the current session Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force try { if ((Get-WindowsOptionalFeature -FeatureName Windows-Defender-ApplicationGuard -Online).State -eq “Enabled”) { Disable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard -NoRestart } } catch { Write-Output “An error occurred: \((\)_.Exception.Message)” } |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Users | - | BuilIn | - | - | Include |
Windows Update Configuration
This section contains a list of all Windows Update configuration profiles available in Intune.
Update policy for Windows 10 devices
| Property | Value |
| @odata.type | #microsoft.graph.windowsUpdateForBusinessConfiguration |
| id | b1845d94-b421-44be-855b-35449c956e7c |
| lastModifiedDateTime | 11/01/2021 21:44:07 |
| roleScopeTagIds | 0 |
| supportsScopeTags | True |
| deviceManagementApplicabilityRuleOsEdition | |
| deviceManagementApplicabilityRuleOsVersion | |
| deviceManagementApplicabilityRuleDeviceMode | |
| createdDateTime | 09/09/2021 16:45:43 |
| description | |
| displayName | Update policy for Windows 10 devices |
| version | 2 |
| deliveryOptimizationMode | httpWithPeeringNat |
| prereleaseFeatures | userDefined |
| automaticUpdateMode | autoInstallAtMaintenanceTime |
| microsoftUpdateServiceAllowed | True |
| driversExcluded | |
| qualityUpdatesDeferralPeriodInDays | |
| featureUpdatesDeferralPeriodInDays | |
| qualityUpdatesPaused | |
| featureUpdatesPaused | |
| qualityUpdatesPauseExpiryDateTime | 01/01/0001 00:00:00 |
| featureUpdatesPauseExpiryDateTime | 01/01/0001 00:00:00 |
| businessReadyUpdatesOnly | all |
| skipChecksBeforeRestart | |
| updateWeeks | |
| qualityUpdatesPauseStartDate | |
| featureUpdatesPauseStartDate | |
| featureUpdatesRollbackWindowInDays | |
| qualityUpdatesWillBeRolledBack | |
| featureUpdatesWillBeRolledBack | |
| qualityUpdatesRollbackStartDateTime | 01/01/0001 00:00:00 |
| featureUpdatesRollbackStartDateTime | 01/01/0001 00:00:00 |
| engagedRestartDeadlineInDays | |
| engagedRestartSnoozeScheduleInDays | |
| engagedRestartTransitionScheduleInDays | |
| deadlineForFeatureUpdatesInDays | |
| deadlineForQualityUpdatesInDays | |
| deadlineGracePeriodInDays | |
| postponeRebootUntilAfterDeadline | |
| autoRestartNotificationDismissal | notConfigured |
| scheduleRestartWarningInHours | |
| scheduleImminentRestartWarningInMinutes | |
| userPauseAccess | notConfigured |
| userWindowsUpdateScanAccess | notConfigured |
| updateNotificationLevel | notConfigured |
| allowWindows11Upgrade | |
| installationSchedule | @{@odata.type=#microsoft.graph.windowsUpdateActiveHoursInstall; activeHoursStart=06:00:00.0000000; activeHoursEnd=22:00:00.0000000} |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Users | 1 | DynamicUser | (user.userType -eq “Member”) | apply | direct | Include |
Mobile Apps
This section contains a list of all applications available in Intune.
| Publisher | DisplayName | Type | Assignments |
| com.microsoft.math | androidManagedStoreApp | All Users - Intent:available | |
| 15Five Inc | 15Five | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| 8bit Solutions LLC | Bitwarden | winGetApp | allLicensedUsersAssignmentTarget - Intent:uninstall allDevicesAssignmentTarget - Intent:uninstall |
| 8bit Solutions LLC | Bitwarden Password Manager | iosStoreApp | Apple Business - Intent:availableWithoutEnrollment |
| Adobe | Adobe Acrobat Reader | win32LobApp | allDevicesAssignmentTarget - Intent:required |
| Adobe | Adobe Acrobat Reader DC | win32LobApp | allDevicesAssignmentTarget - Intent:uninstall |
| Adobe | Adobe Acrobat Reader: Edit PDF | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Adobe | Adobe Acrobat Sign | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Amazon Mobile LLC | Amazon Shopping | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Apple | Apple Configurator | iosStoreApp | Information Technology - Intent:available - Intent:available |
| AQA Company | ISOXpress | winMobileMSI | allLicensedUsersAssignmentTarget - Intent:available |
| Ashish Kulkarni | wkhtmltopdf | win32LobApp | Lab Computers - Intent:required |
| Atlassian | Jira Cloud by Atlassian | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Authy | Twilio Authy Authenticator | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| AWS Mobile LLC | AWS Console | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Bill.com Inc. | BILL Spend & Expense (Divvy) | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Bitwarden | Bitwarden | macOSDmgApp | Apple Business - Intent:required |
| Bitwarden Inc | Bitwarden | win32LobApp | allDevicesAssignmentTarget - Intent:required |
| Bitwarden Inc. | Bitwarden Password Manager | androidManagedStoreApp | - Intent:availableWithoutEnrollment |
| Brother Industries, Ltd. | Brother Print Service Plugin | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Canonical Group Limited | Ubuntu 20.04.6 LTS | winGetApp | allLicensedUsersAssignmentTarget - Intent:available |
| Dynalist Inc. | Obsidian | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| GitHub | GitHub | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| GLPI | GLPI Agent | win32LobApp | allDevicesAssignmentTarget - Intent:required |
| Google Chrome | winMobileMSI | allLicensedUsersAssignmentTarget - Intent:available Lab Computers - Intent:required | |
| Google LLC | Gboard - the Google Keyboard | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Google LLC | Gmail | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Google LLC | Google Authenticator | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Google LLC | Google Chrome | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Kenji Mouri | NanaZip | winGetApp | allDevicesAssignmentTarget - Intent:required |
| LENOVO INC. | Lenovo Vantage | winGetApp | allDevicesAssignmentTarget - Intent:required |
| LinkedIn: Jobs & Business News | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available | |
| Logitech | Logitech G HUB | win32LobApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft | Microsoft 365 Apps for macOS | macOSOfficeSuiteApp | Apple Business - Intent:required allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft | Microsoft 365 Apps for Windows 10 and later | officeSuiteApp | allLicensedUsersAssignmentTarget - Intent:available allDevicesAssignmentTarget - Intent:required |
| Microsoft | Microsoft Azure CLI (64-bit) | winMobileMSI | Information Technology - Intent:available |
| Microsoft | Microsoft Defender for Endpoint (macOS) | macOSMicrosoftDefenderApp | allDevicesAssignmentTarget - Intent:required |
| Microsoft | Microsoft Edge for macOS | macOSMicrosoftEdgeApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft | Powershell 7.2.5 | macOSLobApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft | Project | officeSuiteApp | Visio - Intent:available Microsoft Project - Intent:required |
| Microsoft | SQL Server Management Studio | win32LobApp | Software - Intent:available |
| Microsoft | Visio | officeSuiteApp | Visio - Intent:available |
| Microsoft | VS Code | win32LobApp | allLicensedUsersAssignmentTarget - Intent:available Lab Computers - Intent:required |
| Microsoft Corporation | Azure Information Protection | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Company Portal | winGetApp | allLicensedUsersAssignmentTarget - Intent:required |
| Microsoft Corporation | Dynamics 365 Business Central | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | HEIF Image Extensions | winGetApp | allLicensedUsersAssignmentTarget - Intent:required |
| Microsoft Corporation | Intune Company Portal | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:availableWithoutEnrollment allDevicesAssignmentTarget - Intent:required |
| Microsoft Corporation | Link to Windows | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft 365 Admin | androidManagedStoreApp | Information Technology - Intent:available - Intent:available |
| Microsoft Corporation | Microsoft 365 Copilot | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft Authenticator | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft Azure | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft Edge: AI browser | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft Edge: Web Browser | iosStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft Excel | iosStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft Excel: Spreadsheets | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft Intune | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:availableWithoutEnrollment allDevicesAssignmentTarget - Intent:required |
| Microsoft Corporation | Microsoft Intune Company Portal | iosStoreApp | allLicensedUsersAssignmentTarget - Intent:required |
| Microsoft Corporation | Microsoft Launcher | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft Lens - PDF Scanner | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft Loop | winGetApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft Office | iosStoreApp | allDevicesAssignmentTarget - Intent:required |
| Microsoft Corporation | Microsoft OneDrive | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft OneDrive | iosStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft OneNote | iosStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft OneNote: Save Notes | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft Outlook | iosStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft Outlook | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft Planner | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft Power BI | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft PowerPoint | iosStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft PowerPoint | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft SharePoint | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft Teams | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft Teams | iosStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft To Do: Lists & Tasks | androidManagedStoreApp | All Users - Intent:available |
| Microsoft Corporation | Microsoft Translator | androidManagedStoreApp | All Users - Intent:available |
| Microsoft Corporation | Microsoft Word | iosStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Microsoft Word: Edit Documents | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Power Apps | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Power Automate | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | Remote Desktop | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Microsoft Corporation | VP9 Video Extensions | winGetApp | allLicensedUsersAssignmentTarget - Intent:required |
| Mozilla | Firefox Fast & Private Browser | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Mozilla | Mozilla Firefox | winGetApp | allLicensedUsersAssignmentTarget - Intent:available |
| mRemoteNG | mRemoteNG | winMobileMSI | allLicensedUsersAssignmentTarget - Intent:available |
| National Instruments | NI Package Manager | win32LobApp | allLicensedUsersAssignmentTarget - Intent:available Lab Computers - Intent:required |
| OBSBOT | Obsbot | win32LobApp | allLicensedUsersAssignmentTarget - Intent:available |
| Okta Inc. | Okta Verify | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| OpenVPN | OpenVPN Connect – OpenVPN App | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Oracle America, Inc. | NetSuite | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| People Center Inc. | Rippling - HR, IT & Finance | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| People Center Inc. | Rippling - Time Clock | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Pritunl | Pritunl | win32LobApp | allLicensedUsersAssignmentTarget - Intent:required allDevicesAssignmentTarget - Intent:required |
| Pritunl, Inc. | Pritunl | macOSLobApp | Apple Business - Intent:available |
| Python Software Foundation | Python 3.8 | win32LobApp | allLicensedUsersAssignmentTarget - Intent:available |
| RealVNC Limited | RealVNC Viewer: Remote Desktop | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Rippling People Center Inc. | Rippling | macOSDmgApp | Apple Business - Intent:required allDevicesAssignmentTarget - Intent:required |
| Royal Apps GmbH | Royal TSD Lite | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Royal Apps GmbH | Royal TSX | macOSDmgApp | Information Technology - Intent:required |
| scloud | Screensaver Deployment | win32LobApp | allLicensedUsersAssignmentTarget - Intent:required |
| Spiceworks | Spiceworks Agent Shell | winMobileMSI | allLicensedUsersAssignmentTarget - Intent:required |
| SwiftKey | Microsoft SwiftKey AI Keyboard | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Termius Corporation | Termius - Modern SSH Client | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| The Python Software Foundation | Python 3.12 | win32LobApp | allLicensedUsersAssignmentTarget - Intent:available |
| Vibe Inc | Vibe Canvas | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
| Zoom Video Communications, Inc. | Zoom Client | macOSLobApp | allLicensedUsersAssignmentTarget - Intent:available |
| Zoom Video Communications, Inc. | Zoom Outlook Plugin | macOSLobApp | allLicensedUsersAssignmentTarget - Intent:available |
| Zoom Video Communications, Inc. | Zoom Workplace (64-bit) | winMobileMSI | allDevicesAssignmentTarget - Intent:required |
| zoom.com | Zoom Rooms Controller | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:availableWithoutEnrollment |
| zoom.com | Zoom Workplace | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:availableWithoutEnrollment |
| zoom.com | Zoom Workplace for Intune | androidManagedStoreApp | allLicensedUsersAssignmentTarget - Intent:available |
Mobile App Management
This section contains a list of all mobile applications management policies available in Intune.
OneDrive mobile policy
OneDrive mobile policy UX set via Admin UX
| Property | Value |
| @odata.type | #microsoft.graph.defaultManagedAppProtection |
| displayName | OneDrive mobile policy |
| description | OneDrive mobile policy UX set via Admin UX |
| createdDateTime | 08/13/2020 16:10:52 |
| lastModifiedDateTime | 01/05/2022 00:06:26 |
| roleScopeTagIds | 0 |
| id | G_4ef35a8f-185a-4b67-8210-278957c7b64c |
| version | “20002f81-0000-0300-0000-61d4e1020000” |
| periodOfflineBeforeAccessCheck | PT1H30M |
| periodOnlineBeforeAccessCheck | P7D |
| allowedInboundDataTransferSources | allApps |
| allowedOutboundDataTransferDestinations | allApps |
| organizationalCredentialsRequired | |
| allowedOutboundClipboardSharingLevel | allApps |
| dataBackupBlocked | |
| deviceComplianceRequired | |
| managedBrowserToOpenLinksRequired | |
| saveAsBlocked | |
| periodOfflineBeforeWipeIsEnforced | P720D |
| pinRequired | |
| maximumPinRetries | 5 |
| simplePinBlocked | |
| minimumPinLength | 8 |
| pinCharacterSet | numeric |
| periodBeforePinReset | PT0S |
| allowedDataStorageLocations | |
| contactSyncBlocked | |
| printBlocked | |
| fingerprintBlocked | |
| disableAppPinIfDevicePinIsSet | |
| maximumRequiredOsVersion | |
| maximumWarningOsVersion | |
| maximumWipeOsVersion | |
| minimumRequiredOsVersion | |
| minimumWarningOsVersion | |
| minimumRequiredAppVersion | |
| minimumWarningAppVersion | |
| minimumWipeOsVersion | |
| minimumWipeAppVersion | |
| appActionIfDeviceComplianceRequired | block |
| appActionIfMaximumPinRetriesExceeded | block |
| pinRequiredInsteadOfBiometricTimeout | |
| allowedOutboundClipboardSharingExceptionLength | |
| notificationRestriction | allow |
| previousPinBlockCount | |
| managedBrowser | notConfigured |
| maximumAllowedDeviceThreatLevel | notConfigured |
| mobileThreatDefenseRemediationAction | block |
| mobileThreatDefensePartnerPriority | |
| blockDataIngestionIntoOrganizationDocuments | |
| allowedDataIngestionLocations | |
| appActionIfUnableToAuthenticateUser | |
| dialerRestrictionLevel | allApps |
| gracePeriodToBlockAppsDuringOffClockHours | |
| protectedMessagingRedirectAppType | anyApp |
| appDataEncryptionType | useDeviceSettings |
| screenCaptureBlocked | |
| allowWidgetContentSync | |
| encryptAppData | |
| disableAppEncryptionIfDeviceEncryptionIsEnabled | |
| minimumRequiredSdkVersion | |
| deployedAppCount | |
| minimumRequiredPatchVersion | 0000-00-00 |
| minimumWarningPatchVersion | 0000-00-00 |
| faceIdBlocked | |
| minimumWipeSdkVersion | |
| minimumWipePatchVersion | 0000-00-00 |
| allowedIosDeviceModels | |
| appActionIfIosDeviceModelNotAllowed | block |
| allowedAndroidDeviceManufacturers | |
| appActionIfAndroidDeviceManufacturerNotAllowed | block |
| thirdPartyKeyboardsBlocked | |
| filterOpenInToOnlyManagedApps | |
| disableProtectionOfManagedOutboundOpenInData | |
| protectInboundDataFromUnknownSources | |
| requiredAndroidSafetyNetDeviceAttestationType | none |
| appActionIfAndroidSafetyNetDeviceAttestationFailed | block |
| requiredAndroidSafetyNetAppsVerificationType | none |
| appActionIfAndroidSafetyNetAppsVerificationFailed | block |
| customBrowserProtocol | |
| customBrowserPackageId | |
| customBrowserDisplayName | |
| minimumRequiredCompanyPortalVersion | |
| minimumWarningCompanyPortalVersion | |
| minimumWipeCompanyPortalVersion | |
| allowedAndroidDeviceModels | |
| appActionIfAndroidDeviceModelNotAllowed | block |
| customDialerAppProtocol | |
| customDialerAppPackageId | |
| customDialerAppDisplayName | |
| biometricAuthenticationBlocked | |
| requiredAndroidSafetyNetEvaluationType | basic |
| blockAfterCompanyPortalUpdateDeferralInDays | |
| warnAfterCompanyPortalUpdateDeferralInDays | |
| wipeAfterCompanyPortalUpdateDeferralInDays | |
| deviceLockRequired | |
| appActionIfDeviceLockNotSet | block |
| connectToVpnOnLaunch | |
| appActionIfDevicePasscodeComplexityLessThanLow | |
| appActionIfAccountIsClockedOut | |
| appActionIfDevicePasscodeComplexityLessThanMedium | |
| appActionIfDevicePasscodeComplexityLessThanHigh | |
| requireClass3Biometrics | |
| requirePinAfterBiometricChange | |
| fingerprintAndBiometricEnabled | |
| minimumWarningSdkVersion | |
| messagingRedirectAppUrlScheme | |
| messagingRedirectAppDisplayName | |
| messagingRedirectAppPackageId | |
| customSettings | |
| exemptedAppProtocols | |
| exemptedAppPackages |
OneDrive mobile policy
OneDrive mobile policy UX set via Admin UX
| Property | Value |
| @odata.type | #microsoft.graph.defaultManagedAppProtection |
| displayName | OneDrive mobile policy |
| description | OneDrive mobile policy UX set via Admin UX |
| createdDateTime | 08/13/2020 16:11:25 |
| lastModifiedDateTime | 01/05/2022 00:06:26 |
| roleScopeTagIds | 0 |
| id | G_7db7347d-71bd-4eb6-8d28-3103c1fc24bb |
| version | “11008d05-0000-0300-0000-61d4e1020000” |
| periodOfflineBeforeAccessCheck | PT1H30M |
| periodOnlineBeforeAccessCheck | P7D |
| allowedInboundDataTransferSources | allApps |
| allowedOutboundDataTransferDestinations | allApps |
| organizationalCredentialsRequired | |
| allowedOutboundClipboardSharingLevel | allApps |
| dataBackupBlocked | |
| deviceComplianceRequired | |
| managedBrowserToOpenLinksRequired | |
| saveAsBlocked | |
| periodOfflineBeforeWipeIsEnforced | P720D |
| pinRequired | |
| maximumPinRetries | 5 |
| simplePinBlocked | |
| minimumPinLength | 8 |
| pinCharacterSet | numeric |
| periodBeforePinReset | PT0S |
| allowedDataStorageLocations | |
| contactSyncBlocked | |
| printBlocked | |
| fingerprintBlocked | |
| disableAppPinIfDevicePinIsSet | |
| maximumRequiredOsVersion | |
| maximumWarningOsVersion | |
| maximumWipeOsVersion | |
| minimumRequiredOsVersion | |
| minimumWarningOsVersion | |
| minimumRequiredAppVersion | |
| minimumWarningAppVersion | |
| minimumWipeOsVersion | |
| minimumWipeAppVersion | |
| appActionIfDeviceComplianceRequired | block |
| appActionIfMaximumPinRetriesExceeded | block |
| pinRequiredInsteadOfBiometricTimeout | |
| allowedOutboundClipboardSharingExceptionLength | |
| notificationRestriction | allow |
| previousPinBlockCount | |
| managedBrowser | notConfigured |
| maximumAllowedDeviceThreatLevel | notConfigured |
| mobileThreatDefenseRemediationAction | block |
| mobileThreatDefensePartnerPriority | |
| blockDataIngestionIntoOrganizationDocuments | |
| allowedDataIngestionLocations | |
| appActionIfUnableToAuthenticateUser | |
| dialerRestrictionLevel | allApps |
| gracePeriodToBlockAppsDuringOffClockHours | |
| protectedMessagingRedirectAppType | anyApp |
| appDataEncryptionType | useDeviceSettings |
| screenCaptureBlocked | |
| allowWidgetContentSync | |
| encryptAppData | True |
| disableAppEncryptionIfDeviceEncryptionIsEnabled | |
| minimumRequiredSdkVersion | |
| deployedAppCount | 2 |
| minimumRequiredPatchVersion | 0000-00-00 |
| minimumWarningPatchVersion | 0000-00-00 |
| faceIdBlocked | |
| minimumWipeSdkVersion | |
| minimumWipePatchVersion | 0000-00-00 |
| allowedIosDeviceModels | |
| appActionIfIosDeviceModelNotAllowed | block |
| allowedAndroidDeviceManufacturers | |
| appActionIfAndroidDeviceManufacturerNotAllowed | block |
| thirdPartyKeyboardsBlocked | |
| filterOpenInToOnlyManagedApps | |
| disableProtectionOfManagedOutboundOpenInData | |
| protectInboundDataFromUnknownSources | |
| requiredAndroidSafetyNetDeviceAttestationType | none |
| appActionIfAndroidSafetyNetDeviceAttestationFailed | block |
| requiredAndroidSafetyNetAppsVerificationType | none |
| appActionIfAndroidSafetyNetAppsVerificationFailed | block |
| customBrowserProtocol | |
| customBrowserPackageId | |
| customBrowserDisplayName | |
| minimumRequiredCompanyPortalVersion | |
| minimumWarningCompanyPortalVersion | |
| minimumWipeCompanyPortalVersion | |
| allowedAndroidDeviceModels | |
| appActionIfAndroidDeviceModelNotAllowed | block |
| customDialerAppProtocol | |
| customDialerAppPackageId | |
| customDialerAppDisplayName | |
| biometricAuthenticationBlocked | |
| requiredAndroidSafetyNetEvaluationType | basic |
| blockAfterCompanyPortalUpdateDeferralInDays | |
| warnAfterCompanyPortalUpdateDeferralInDays | |
| wipeAfterCompanyPortalUpdateDeferralInDays | |
| deviceLockRequired | |
| appActionIfDeviceLockNotSet | block |
| connectToVpnOnLaunch | |
| appActionIfDevicePasscodeComplexityLessThanLow | |
| appActionIfAccountIsClockedOut | |
| appActionIfDevicePasscodeComplexityLessThanMedium | |
| appActionIfDevicePasscodeComplexityLessThanHigh | |
| requireClass3Biometrics | |
| requirePinAfterBiometricChange | |
| fingerprintAndBiometricEnabled | |
| minimumWarningSdkVersion | |
| messagingRedirectAppUrlScheme | |
| messagingRedirectAppDisplayName | |
| messagingRedirectAppPackageId | |
| customSettings | |
| exemptedAppProtocols | |
| exemptedAppPackages |
Default iOS Policy
{}
| Property | Value |
| @odata.type | #microsoft.graph.iosManagedAppProtection |
| displayName | Default iOS Policy |
| description | {} |
| createdDateTime | 08/21/2020 02:22:28 |
| lastModifiedDateTime | 01/04/2022 21:52:23 |
| roleScopeTagIds | 0 |
| id | T_59f5d989-43c2-499f-a5a4-d3f335855a4d |
| version | “0b00b4a3-0000-0300-0000-61d4c1970000” |
| periodOfflineBeforeAccessCheck | PT12H |
| periodOnlineBeforeAccessCheck | PT12H |
| allowedInboundDataTransferSources | allApps |
| allowedOutboundDataTransferDestinations | allApps |
| organizationalCredentialsRequired | |
| allowedOutboundClipboardSharingLevel | allApps |
| dataBackupBlocked | |
| deviceComplianceRequired | |
| managedBrowserToOpenLinksRequired | |
| saveAsBlocked | |
| periodOfflineBeforeWipeIsEnforced | P1D |
| pinRequired | |
| maximumPinRetries | 5 |
| simplePinBlocked | |
| minimumPinLength | 4 |
| pinCharacterSet | numeric |
| periodBeforePinReset | PT0S |
| allowedDataStorageLocations | |
| contactSyncBlocked | |
| printBlocked | |
| fingerprintBlocked | |
| disableAppPinIfDevicePinIsSet | |
| maximumRequiredOsVersion | |
| maximumWarningOsVersion | |
| maximumWipeOsVersion | |
| minimumRequiredOsVersion | |
| minimumWarningOsVersion | |
| minimumRequiredAppVersion | |
| minimumWarningAppVersion | |
| minimumWipeOsVersion | |
| minimumWipeAppVersion | |
| appActionIfDeviceComplianceRequired | block |
| appActionIfMaximumPinRetriesExceeded | block |
| pinRequiredInsteadOfBiometricTimeout | |
| allowedOutboundClipboardSharingExceptionLength | |
| notificationRestriction | allow |
| previousPinBlockCount | |
| managedBrowser | notConfigured |
| maximumAllowedDeviceThreatLevel | notConfigured |
| mobileThreatDefenseRemediationAction | block |
| mobileThreatDefensePartnerPriority | |
| blockDataIngestionIntoOrganizationDocuments | |
| allowedDataIngestionLocations | |
| appActionIfUnableToAuthenticateUser | |
| dialerRestrictionLevel | allApps |
| gracePeriodToBlockAppsDuringOffClockHours | |
| protectedMessagingRedirectAppType | anyApp |
| isAssigned | True |
| targetedAppManagementLevels | unspecified |
| appGroupType | selectedPublicApps |
| appDataEncryptionType | useDeviceSettings |
| minimumRequiredSdkVersion | |
| deployedAppCount | |
| faceIdBlocked | |
| allowWidgetContentSync | |
| minimumWipeSdkVersion | |
| allowedIosDeviceModels | |
| appActionIfIosDeviceModelNotAllowed | block |
| appActionIfAccountIsClockedOut | |
| thirdPartyKeyboardsBlocked | |
| filterOpenInToOnlyManagedApps | |
| disableProtectionOfManagedOutboundOpenInData | |
| protectInboundDataFromUnknownSources | |
| customBrowserProtocol | |
| customDialerAppProtocol | |
| managedUniversalLinks | http://*.sharepoint.com/* http://*.sharepoint-df.com/* http://*.yammer.com/* http://*.onedrive.com/* http://tasks.office.com/* http://to-do.microsoft.com/sharing* http://web.microsoftstream.com/video/* http://msit.microsoftstream.com/video/* http://*.powerbi.com/* http://app.powerbi.cn/* http://app.powerbigov.us/* http://app.powerbi.de/* http://*.service-now.com/* http://*.appsplatform.us/* http://*.powerapps.cn/* http://*.powerapps.com/* http://*.powerapps.us/* http://*teams.microsoft.com/l/* http://*devspaces.skype.com/l/* http://*teams.live.com/l/* http://*collab.apps.mil/l/* http://*teams.microsoft.us/l/* http://*teams-fl.microsoft.com/l/* http://*.zoom.us/* http://zoom.us/* https://*.sharepoint.com/* https://*.sharepoint-df.com/* https://*.yammer.com/* https://*.onedrive.com/* https://tasks.office.com/* https://to-do.microsoft.com/sharing* https://web.microsoftstream.com/video/* https://msit.microsoftstream.com/video/* https://*.powerbi.com/* https://app.powerbi.cn/* https://app.powerbigov.us/* https://app.powerbi.de/* https://*.service-now.com/* https://*.appsplatform.us/* https://*.powerapps.cn/* https://*.powerapps.com/* https://*.powerapps.us/* https://*teams.microsoft.com/l/* https://*devspaces.skype.com/l/* https://*teams.live.com/l/* https://*collab.apps.mil/l/* https://*teams.microsoft.us/l/* https://*teams-fl.microsoft.com/l/* https://*.zoom.us/* https://zoom.us/* |
| exemptedUniversalLinks | http://maps.apple.com https://maps.apple.com http://facetime.apple.com https://facetime.apple.com |
| minimumWarningSdkVersion | |
| messagingRedirectAppUrlScheme | |
| exemptedAppProtocols | |
| Targeted Apps |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Users | 1 | DynamicUser | (user.userType -eq “Member”) | - | direct | Include |
Default Android Policy
{}
| Property | Value |
| @odata.type | #microsoft.graph.androidManagedAppProtection |
| displayName | Default Android Policy |
| description | {} |
| createdDateTime | 08/21/2020 01:45:36 |
| lastModifiedDateTime | 01/04/2022 21:52:25 |
| roleScopeTagIds | 0 |
| id | T_52e262b6-b544-4544-82f3-9f636563cb2e |
| version | “0b0095a8-0000-0300-0000-61d4c1990000” |
| periodOfflineBeforeAccessCheck | PT12H |
| periodOnlineBeforeAccessCheck | PT12H |
| allowedInboundDataTransferSources | allApps |
| allowedOutboundDataTransferDestinations | allApps |
| organizationalCredentialsRequired | |
| allowedOutboundClipboardSharingLevel | allApps |
| dataBackupBlocked | |
| deviceComplianceRequired | |
| managedBrowserToOpenLinksRequired | |
| saveAsBlocked | |
| periodOfflineBeforeWipeIsEnforced | P1D |
| pinRequired | |
| maximumPinRetries | 5 |
| simplePinBlocked | |
| minimumPinLength | 4 |
| pinCharacterSet | numeric |
| periodBeforePinReset | PT0S |
| allowedDataStorageLocations | |
| contactSyncBlocked | |
| printBlocked | |
| fingerprintBlocked | |
| disableAppPinIfDevicePinIsSet | |
| maximumRequiredOsVersion | |
| maximumWarningOsVersion | |
| maximumWipeOsVersion | |
| minimumRequiredOsVersion | |
| minimumWarningOsVersion | |
| minimumRequiredAppVersion | |
| minimumWarningAppVersion | |
| minimumWipeOsVersion | |
| minimumWipeAppVersion | |
| appActionIfDeviceComplianceRequired | block |
| appActionIfMaximumPinRetriesExceeded | block |
| pinRequiredInsteadOfBiometricTimeout | |
| allowedOutboundClipboardSharingExceptionLength | |
| notificationRestriction | allow |
| previousPinBlockCount | |
| managedBrowser | notConfigured |
| maximumAllowedDeviceThreatLevel | notConfigured |
| mobileThreatDefenseRemediationAction | block |
| mobileThreatDefensePartnerPriority | |
| blockDataIngestionIntoOrganizationDocuments | |
| allowedDataIngestionLocations | |
| appActionIfUnableToAuthenticateUser | |
| dialerRestrictionLevel | allApps |
| gracePeriodToBlockAppsDuringOffClockHours | |
| protectedMessagingRedirectAppType | anyApp |
| isAssigned | True |
| targetedAppManagementLevels | unspecified |
| appGroupType | selectedPublicApps |
| screenCaptureBlocked | |
| disableAppEncryptionIfDeviceEncryptionIsEnabled | |
| encryptAppData | |
| deployedAppCount | |
| minimumRequiredPatchVersion | 0000-00-00 |
| minimumWarningPatchVersion | 0000-00-00 |
| minimumWipePatchVersion | 0000-00-00 |
| allowedAndroidDeviceManufacturers | |
| appActionIfAndroidDeviceManufacturerNotAllowed | block |
| appActionIfAccountIsClockedOut | |
| appActionIfSamsungKnoxAttestationRequired | |
| requiredAndroidSafetyNetDeviceAttestationType | none |
| appActionIfAndroidSafetyNetDeviceAttestationFailed | block |
| requiredAndroidSafetyNetAppsVerificationType | none |
| appActionIfAndroidSafetyNetAppsVerificationFailed | block |
| customBrowserPackageId | |
| customBrowserDisplayName | |
| minimumRequiredCompanyPortalVersion | |
| minimumWarningCompanyPortalVersion | |
| minimumWipeCompanyPortalVersion | |
| keyboardsRestricted | |
| allowedAndroidDeviceModels | |
| appActionIfAndroidDeviceModelNotAllowed | block |
| customDialerAppPackageId | |
| customDialerAppDisplayName | |
| biometricAuthenticationBlocked | |
| requiredAndroidSafetyNetEvaluationType | basic |
| blockAfterCompanyPortalUpdateDeferralInDays | |
| warnAfterCompanyPortalUpdateDeferralInDays | |
| wipeAfterCompanyPortalUpdateDeferralInDays | |
| deviceLockRequired | |
| appActionIfDeviceLockNotSet | block |
| connectToVpnOnLaunch | |
| appActionIfDevicePasscodeComplexityLessThanLow | |
| appActionIfDevicePasscodeComplexityLessThanMedium | |
| appActionIfDevicePasscodeComplexityLessThanHigh | |
| requireClass3Biometrics | |
| requirePinAfterBiometricChange | |
| fingerprintAndBiometricEnabled | |
| messagingRedirectAppPackageId | |
| messagingRedirectAppDisplayName | |
| exemptedAppPackages | |
| approvedKeyboards | |
| Targeted Apps |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Users | 1 | DynamicUser | (user.userType -eq “Member”) | - | direct | Include |
Default Windows 10 Application Policy
{}
| Property | Value |
| @odata.type | #microsoft.graph.mdmWindowsInformationProtectionPolicy |
| displayName | Default Windows 10 Application Policy |
| description | {} |
| createdDateTime | 08/13/2020 20:14:02 |
| lastModifiedDateTime | 11/16/2021 21:45:58 |
| roleScopeTagIds | 0 |
| id | M_81118850-9b16-465e-9d2a-83af981ae866 |
| version | 7 |
| enforcementLevel | noProtection |
| enterpriseDomain | xentermd.com |
| protectionUnderLockConfigRequired | True |
| revokeOnUnenrollDisabled | |
| rightsManagementServicesTemplateId | |
| azureRightsManagementServicesAllowed | |
| iconsVisible | True |
| enterpriseIPRangesAreAuthoritative | |
| enterpriseProxyServersAreAuthoritative | |
| indexingEncryptedStoresOrItemsBlocked | |
| isAssigned | True |
| enterpriseProtectedDomainNames | |
| dataRecoveryCertificate | @{subjectName=OU=EFS File Encryption Certificate, L=EFS, CN=RexLinder; description=dra_recovery_key_microsoft365.CER; expirationDateTime=07/20/2120 02:50:05; certificate=} |
| protectedApps | Internet Explorer, Word, Excel, PowerPoint, OneDrive, OneNote, Mail and Calendar, Skype for Business, Microsoft Edge |
| exemptApps | |
| enterpriseNetworkDomainNames | |
| enterpriseProxiedDomains | |
| enterpriseIPRanges | |
| enterpriseProxyServers | |
| enterpriseInternalProxyServers | |
| neutralDomainResources | |
| smbAutoEncryptedFileExtensions |
Assignments
| Name | MemberCount | GroupType | DynamicRule | Intent | Source | AssignType |
| All Users | 1 | DynamicUser | (user.userType -eq “Member”) | - | direct | Include |