Merge pull request #43 from SkipToTheEndpoint/windows-v3.3

Windows-v3.3

.github/workflows/main.yaml

@@ -3,9 +3,6 @@ on:
     push:
         branches:
             - main
-    pull_request:
-        branches:
-            - main
 
 jobs:
     contrib-readme-job:

CHANGELOG.md

@@ -4,6 +4,7 @@
 ## Release
 **[OIB MacOS v1.0](/MACOS/README.md)**
 **[OIB Windows 365 v1.0](/WINDOWS365/README.md)**
+**[OIB Windows v3.3](/WINDOWS/README.md)**
 
 # 2024-08-29
 ## Added

README.md

@@ -80,7 +80,7 @@ Each OS will have its own folder, with OS-specific files (readme, changelog, bas
 The current OIB versions are:
 | OS 	| Current Release 	| Change Log   |
 |---	|---	|---	
-| [Windows](/WINDOWS/README.md) 	| [v3.2](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/releases/tag/v3.2) 	| [Windows Change Log](/WINDOWS/CHANGELOG.md) 	|
+| [Windows](/WINDOWS/README.md) 	| [v3.3](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/releases/tag/windows-v3.3) 	| [Windows Change Log](/WINDOWS/CHANGELOG.md) 	|
 | [Windows 365](/WINDOWS365/README.md) 	| [v1.0](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/releases/tag/win365-v1.0) 	| [Windows 365 Change Log](/WINDOWS365/CHANGELOG.md) 	|
 | [MacOS](/MACOS/README.md) 	| [v1.0](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/releases/tag/macos-v1.0) 	| [MacOS Change Log](/MACOS/CHANGELOG.md) 	|
 

WINDOWS/BASELINECOMPARISON.md

@@ -0,0 +1,141 @@
+# OIB Baseline Comparisons
+
+Documented below are the results of some tests of other baseline configurations available for Intune-managed devices. I documented the experice seen during an Autopilot deployment, the general post-provisioning user experience, and any policy or security issues identified.
+
+To conduct the tests I took an approach that is widely seen in this space, that being:
+* Baselines were imported "as-is" with no modifications made.
+* All policies were targeted at devices, rather than users.
+
+OIB data has been presented from **direct feedback from community members** who have implemented the baseline **in their own environments**. Other baseline tests have been conducted to map against those same feedback points to provide a reasonable and unbiased comparison.
+
+---
+
+## OpenIntuneBaseline
+### Test Details
+* Baseline Version(s) Tested:
+    * [OpenIntuneBaseline - Windows v3.3](/WINDOWS/README.md)
+* Tested on:
+    * Windows 11 Enterprise 23H2 - 2024.08 B Security Update
+
+### Autopilot User Experience:
+* No reboot seen between Device and user Phase.
+* User required to pass 2rd MFA challenge to configure WHfB (not seen if skipping user ESP or ESP takes <15 minutes).
+
+### General User Experience:
+* Edge automatically configured and signed-in.
+* Great productivity experience:
+    * Outlook auto sign-in using primary SMTP address
+    * OneDrive KFM automatically configured and signed-in.
+    * Office apps do not prompt first-run wizard.
+
+### Helpdesk Support Experience:
+* UAC allowed within the user session, able to use LAPS to diagnose or resolve issues.
+
+### Policy Issues Seen:
+* Two transient policy error due to Defender Additional Configuration & Defender Tamper Protection ([documented here](/WINDOWS/KNOWNISSUES.md)) - Resolved after reboot.
+
+### Security Issues Identified:
+* None
+
+### Admin Impact Summary:
+* Simple and quick implementation of a secure, "known-good" baseline.
+* Known issues are well documented.
+* Policies are granular and easy to understand and expand on.
+* Community-driven feedback and support available.
+
+---
+
+## Intune Security Baseline
+### Comparison Rationale
+In blogs, documentation, and presentations, Microsoft regularly states that the Intune Security Baseline is the recommended starting point for securing Windows devices.
+
+### Test Details
+* Baseline Version(s) Tested:
+    * [Security Baseline for Windows 10 and later - Version 23H2](https://learn.microsoft.com/en-gb/mem/intune/protect/security-baseline-settings-mdm-all?pivots=mdm-23h2)
+    * [Microsoft Defender for Endpoint Security Baseline - Version 24H1](https://learn.microsoft.com/en-gb/mem/intune/protect/security-baseline-settings-defender?pivots=mde-v24h1)
+    * [Security Baseline for Microsoft Edge - Version 117](https://learn.microsoft.com/en-gb/mem/intune/protect/security-baseline-v2-edge-settings?pivots=edge-v117)
+* Tested on:
+    * Windows 11 Enterprise 23H2 - 2024.08 B Security Update
+
+### Autopilot User Experience:
+* Reboot seen between Device and user Phase:
+    * User needs to re-input user credentials.
+    * User required to re-pass MFA (if not skipping user ESP).
+* User required to pass 3rd MFA challenge to configure WHfB (or 2nd if skipping user ESP).
+* Default password length of 14 which also impacts WHfB PIN!
+
+### General User Experience:
+* You've been forced to use a 14 character PIN which you've probably set the same as your password.
+* Poor initial Edge user experience:
+    * Account automatically identified but user asked for sign in
+    * Large amount of initial setup wizard prompts.
+* Suboptimal productivity experience:
+    * Outlook identifies user account but does not get automatically configured.
+    * No OneDrive configuration, user has to log in and configure manually.
+    * Prompted by Office first-run wizard to set file types.
+
+### Helpdesk Support Experience:
+* UAC blocked within the user session, making it difficult to diagnose or resolve issues.
+
+### Policy Issues Seen:
+* Windows and Defender Security Baselines (still) conflict with each other.
+
+### Security Issues Identified:
+* No BitLocker configuration, leaving device unencrypted.
+
+### Admin Impact:
+* Applying other policies difficult due to monolithic nature of the security baseline.
+* Tracking down and resolving conflicts between the security baselines is time-consuming.
+* Support relies on Microsoft documentation or available paid support channels.
+
+---
+
+## Center for Internet Security (CIS) Benchmark
+### Comparison Rationale
+The CIS Benchmarks are widely used across the industry and are considered a "gold standard" for device security configuratio.
+
+### Test Details
+* Baseline Version Tested:
+    * [CIS Microsoft Intune for Windows 11 Benchmark v3.0.1](https://workbench.cisecurity.org/benchmarks/16853) (CIS Workbench login required)
+        * Note: Build Kit requires CIS SecureSuite subscription
+* Tested on:
+    * Windows 11 Enterprise 23H2 - 2024.08 B Security Update
+
+### Autopilot User Experience:
+* Reboot seen between Device and user Phase:
+    * User had to press CTRL+ALT+DEL.
+    * User needs to re-input user credentials.
+    * User required to re-pass MFA (if not skipping user ESP).
+* User required to pass 3rd MFA challenge to configure WHfB (or 2nd if skipping user ESP).
+
+### General User Experience:
+* Configured to not remember user credentials so every logon requires full credential input even if WHfB is configured.
+* Poor initial Edge user experience:
+    * Account automatically identified but user asked for sign in
+    * Large amount of initial setup wizard prompts.
+* Suboptimal productivity experience:
+    * Outlook identifies user account but does not get automatically configured.
+    * No OneDrive configuration, user has to log in and configure manually.
+    * Prompted by Office first-run wizard to set file types.
+
+### Helpdesk Support Experience:
+* UAC blocked within the user session, making it difficult to diagnose or resolve issues.
+
+### Policy Issues Seen:
+* **CIS (L1) Section 1 - 3.9.1.1 - Windows 11 Intune 3.0** - _(L1) Ensure 'MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)' is set to 'Disabled'_
+    * Setting completely breaks Autopilot if not removed.
+* **CIS (L1) Windows Update - Windows 11 Intune 3.0.1** - 
+    * Conflicted with pre-existing Windows Update for Business Ring settings.
+
+### Security Issues Identified:
+* BitLocker policy does not function, leaving device unencrypted.
+* Some security gaps without implementing additional benchmarks (e.g. Edge, Internet Explorer).
+* Conflicts in Windows Update settings leads to unpredictable update behaviour.
+
+### Admin Impact:
+* Does not work out-of-the-box with Autopilot!
+* Applying other policies potentially difficult due to haphazard existing policy groupings.
+* Tracking down and resolving conflicts between the security baselines is time-consuming.
+* Support relies on vendor documentation or available paid support channels.
+
+---

WINDOWS/CHANGELOG.md

@@ -1,6 +1,55 @@
 # OIB Windows Change Log
 
-# v3.2 - 2024-08-02
+# Windows v3.3 - 2024-09-02
+## Added
+### Endpoint Security
+**Win - OIB - Attack Surface Reduction - D - ASR Rules (L2) - v3.3**
+* Resolves [#13](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/discussions/13)
+* New ASR policy which includes a number of rules that I have had good success with in Block mode.
+<br>I don't necessarily want to make Level 1/Level 2 a thing here because I actually care about device usability, but I'm going to refer to this one as such.
+
+> [!WARNING]
+> Just because I've had success with these rules, doesn't mean you will!
+> 
+> If you've been running in Audit mode for a while, there's an amazing blog by [Nathan McNulty](https://x.com/NathanMcNulty), [Defender for Endpoint - Implementing ASR Rules](https://blog.nathanmcnulty.com/defender-for-endpoint-implementing-asr-rules/) which has some great Advanced Hunting queries to help validating if these will have an impact.
+> 
+> If you haven't: **Please** run the Audit mode policy for a decent amount of time before applying anything!
+>
+> Additional Microsoft guidance: [Operationalize attack surface reduction rules - Microsoft Defender for Endpoint | Microsoft Learn](https://learn.microsoft.com/en-us/defender-endpoint/attack-surface-reduction-rules-deployment-operationalize)
+
+
+## Changed/Updated
+### Settings Catalog
+**Win - OIB - Device Security - D - Security Hardening**
+* Fixes [#33](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/discussions/33).
+* Removed the ["Allow Device Discovery"](https://learn.microsoft.com/en-gb/windows/client-management/mdm/policy-csp-Experience?WT.mc_id=Portal-Microsoft_Intune_Workflows#allowdevicediscovery) setting which disables the Win+P and Win+K shortcuts, but doesn't actually stop the user from projecting to a device.
+    * Thanks to the few people who reported this issue, honestly I'm not sure why I had it in there in the first place...
+
+### Endpoint Security
+**Win - OIB - Defender Antivirus - D - AV Configuration**
+* Fixes [#32](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/discussions/32).
+* Changed the ["Signature Update Interval"](https://learn.microsoft.com/en-gb/windows/client-management/mdm/policy-csp-Defender?WT.mc_id=Portal-fx#signatureupdateinterval) from 4 hours to 1 hour. 
+    * Thanks for bringing to my attention some great work from [Ru Campbell](https://x.com/rucam365) [and Viktor Hedberg](https://x.com/headburgh)'s book, [Mastering Microsoft 365 Defender](https://www.amazon.co.uk/Mastering-Microsoft-365-Defender-Implement-ebook/dp/B0BYZLJFCR?ref_=ast_author_dp), and [Jeffery Appel](https://x.com/jeffreyappel7)'s [blog series](https://jeffreyappel.nl/microsoft-defender-for-endpoint-series-define-the-av-baseline-part4a/) on baselining MDE.
+
+### Policy Descriptions
+Aded some additional information to the following policy descriptions to help clarify any issues or hardware/software pre-reqs. Versions have been bumped but no actual policy changes have been made.
+
+* **Win - OIB - Credential Management - D - Passwordless**
+* **Win - OIB - Defender Antivirus - D - Security Experience**
+* **Win - OIB - Device Security - U - Device Guard, Credential Guard and HVCI**
+* **Win - OIB - Microsoft Store - U - Configuration**
+
+
+## Removed
+**Win - OIB - Defender Antivirus - D - Default Exclusions**
+
+Something I'd been curious about for a while was around some (now updated) wording on "built-in exclusions" on the following docs page: [Microsoft Defender Antivirus exclusions on Windows Server - Microsoft Defender for Endpoint | Microsoft Learn](https://learn.microsoft.com/en-us/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus)
+<br> I have subsequently had confirmed by Microsoft that the built-in exclusions do indeed already apply by default to Windows *Client* OS's too, and as such I do not feel the need to have a separate policy for.
+<br>I had separately added entries for the IME Content and IME Cache folders, but any exclusion is creating a security hole that could be exploited, so I'm getting rid of the whole thing.
+
+---
+
+# Windows v3.2 - 2024-08-02
 ## Added
 ### Settings Catalog
 **Win - OIB - Device Security - D - Config Refresh - v3.2**
@@ -19,6 +68,7 @@
 **Win - OIB - Windows Hello for Business - D - WHfB Configuration - v3.2**
 * The last non-Settings Catalog profile type, Account Protection (Preview) has finally been updated to the Settings Catalog format! The policy does have some changes when compared to the previous version and is also using Device scope settings rather than User, so please review the settings. The new template is also (currently) missing the "Allow biometric authentication" setting, so biometrics are enabled by default providing the device has biometric-capable hardware.
 
+
 ## Changed/Updated
 ### Settings Catalog
 **Win - OIB - Device Security - D - Windows Subsystem for Linux**
@@ -40,7 +90,6 @@
 * Removed "Require Private Store Only" setting to match the Microsoft recommendation on restricting access to the Microsoft Store:
 <br>[Configure access to the Microsoft Store app - Configure Windows | Microsoft Learn](https://learn.microsoft.com/en-us/windows/configuration/store/?tabs=intune)
 
-
 ### Endpoint Security
 **Win - OIB - Defender Antivirus - D - AV Configuration**
 * Configured "Metered Connection Updates" to "Allowed" to ensure AV updates are still applied on metered connections.
@@ -49,7 +98,6 @@
 * Added settings to ensure users are prompted via notifications for any actions taken by Defender Antivirus.
 <br>To enhance this policy further, consider enabling the Customized Toasts and in-app Customization settings to give users confidence that notifications are legitimate.
 
-
 ## Removed
 **Win - OIB - Microsoft Accounts - U - Configuration**
 * Replaced by device-based policy, Win - OIB - Microsoft Accounts - D - Configuration - v3.2.
@@ -59,7 +107,7 @@
 
 ---
 
-# v3.1.1 - 2024-04-15
+# Windows v3.1.1 - 2024-04-15
 
 ## Changed/Updated
 ### Settings Catalog
@@ -71,7 +119,7 @@
 
 ---
 
-# v3.1 - 2024-04-10
+# Windows v3.1 - 2024-04-10
 
 ## Added
 ### Settings Catalog
@@ -194,6 +242,6 @@ Added separate compliance policies to allow for much better granularity and cont
 
 ---
 
-# v3.0 and Earlier
+# Windows v3.0 and Earlier
 
 I'm sorry, but for various reasons I didn't keep a changelog before this point. I'll try to keep one from now on.