skiptotheendpoint / openintunebaseline Goto Github PK

Hey! I've stumbled upon this problem where laptops restart after device setup phase, and then they lose the temporary access pass (TAP). I've been trying so hard to figure out which policy might be causing this. I thought it could be update policies based on some Google searches, but I've already disabled those and it's still happening. So, I'm kind of lost. If you could give me any hints on how to figure it out, I'd be super grateful.

Also, I just want to say thanks a bunch for sharing this, it's been a huge help!

Hi,

In the latest changelog under:

Win - OIB - Microsoft Store - D - Configuration

Changed "Block Non Admin User Install" and "Allow All Trusted Apps" from "Block" to "Allow" and "Explicit allow unlock." to "Explicit deny" respectively as per suggestion #4 - You'd think "Block" would mean it's blocked, but no, thanks Microsoft.
Removed "Block Non Admin User Install" and added "MSI Allow User Control Over Install" set to "Disabled".

It states that you change Block Non Admin User Install from Block to Allow, but at the end is states that Removed "Block Non Admin User Install" .

There seems to be a couple issues with the 3.1 version of the Internet Explorer Configuration profile, where it doesn't match the Windows 11 v23H2 Security Baseline settings for Internet Explorer.

Windows Components > Internet Explorer > Internet Control Panel > Security Page > Trusted Sites Zone

The subsetting for Don't run antimalware programs against ActiveX controls should be set to Disable, is currently Enable.

Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Intranet Zone

Turn on SmartScreen Filter scan should not be set.

Windows Components > Internet Explorer > Internet Control Panel > Security Page > Locked-Down Internet Zone

Turn on SmartScreen Filter should be enabled.

Windows Components > Internet Explorer > Internet Control Panel > Security Page > Internet Zone

The Only allow approved domains to use ActiveX controls without prompt setting is missing, should be enabled.

Export contains hardcoded tenantId rather than %OrganizationId%

There are 2 policies:

Win - OIB - Defender Firewall - D - Firewall Configuration - v3.0

Win - OIB - Windows Firewall - D - Firewall Configuration - v3.1

It appears that the difference is primarily around logging - e.g. of dropped connections.

Is there meant to be only one policy?

Believe to be related to settings in Win - OIB - Device Security - D - Local Security Policies - v3.0

On Windows 10, UAC prompts for username and password

On Windows 11, UAC prompts for Administrator password

UAC Win10.pdf
UAC Win11.pdf

Getting the Error Code 65000 on several of the Defender Antivirus settings.

Win - OIB - Defender Antivirus - D - Additional Configuration - v3.1
Hide Exclusions From Local Users
Intel TDT Enabled
Oobe Enable Rtp And Sig Update

Win - OIB - Defender Antivirus - D - Security Experience - v3.0
Tamper Protection Blob

This is occurring during the White Glove OOBE on both Lenovo and Dell devices.

I am having an odd issue I suspect may be caused by a setting in OpenIntuneBaselines but I am not 100% sure. WIth the baselines applied, the default destructive pin reset from the lock screen does not work, it just says "please wait" for 1 second and goes back to the lock screen sleep screen with just the time. The same thing happens trying to use the windows web-sign in provider for entra joined machines.

I read that blocking notifications can disable pin reset but can't find why web sign in doesn't work. I tried re-enabling lock screen notifications but it didnt fix either problem. Perhaps I missed notifications disabled in a 2nd location?

I am wondering if anyone else using these baselines either has the same problem or if they can succesfully use web sign in and the default destructive pin reset (it should work without any config, unlike the non destructive pin reset). If anyone running the baselines I would appreciate it! Thanks