Microsoft Office OU

Signed-off-by: Tommy <contact@tommytran.io>

Group Policies Objects/Default Domain Policy/Microsoft Defender Antivirus.md

@@ -1,15 +1,13 @@
 # Microsoft Defender Antivirus
 
-**MAPS and features dependent on it are not enabled using this policy. It just configures how aggressive MAPS should be. This is quite invasive so I will only enable it for certain OUs.**
+**MAPS and features dependent on it disabled using this policy. It is quite invasive so I will only enable it for certain OUs.**
 
 `Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus`
 
 ## MAPS
 
 `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MAPS`
-
-- Configure the 'Block at First Sight' feature -> Enabled
-- Send file samples when further analysis is required -> Enabled -> Always Prompt (Send safe sample works better with 'Block at First Sight, but I really, really do not trust Microsoft on this one)
+- Join Microsoft MAPS -> Enabled -> Disabled
 
 ## Controlled Folder Access
 
@@ -17,28 +15,11 @@
 
 - Configure Controlled folder access -> Enabled -> Block
 
-## Network Protection
-
-`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection`
-
-Only relevant if SmartScreen is used.
-
-Documentation:
-- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide
-- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide
-
-This settings controls whether Network protection is allowed to be configured into block or audit mode on Windows -> Enabled (Only relevant if running Windows Server)
-Prevent users and apps from accessing dangerous websites -> Enabled -> Block
-
 ## MpEngine
 
 `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine`
 
-Only relevant if MAPS is used
-
 - Enable file hash computation feature -> Enabled
-- Configure extended cloud check -> Specify the extended cloud check time in seconds -> 50
-- Select cloud protection level -> Zero tolerance blocking level
 
 ## Quarantine
 

Group Policies Objects/Default Domain Policy/Microsoft Edge.md

@@ -1,8 +0,0 @@
-# Microsoft Edge
-
-`Computer Configuration\Policies\Administrative Templates\Microsoft Edge`
-`Computer Configuration\Policies\Administrative Templates\Microsoft Edge - Default Settings (users can override)`
-
-You will need to download the Edge policies from https://www.microsoft.com/en-us/edge/business/download?form=MA13FJ and install it.
-
-For the actual policies to set, you can follow my repo at https://github.com/TommyTran732/Microsoft-Edge-Policies at set the equivalent group policies of what is being set there.

Group Policies Objects/Default Domain Policy/Microsoft Edge/Cast.md

@@ -0,0 +1,5 @@
+# Cast
+
+`Computer Configuration\Policies\Administrative Templates\Microsoft Edge\Cast`
+
+- Enabled Google Cast -> Disabled `EnableMediaRouter: false`

Group Policies Objects/Default Domain Policy/Microsoft Edge/Content Settings.md

@@ -0,0 +1,13 @@
+# Content Settings
+
+`Computer Configuration\Policies\Administrative Templates\Microsoft Edge\Content Settings`
+
+- Block cookies on specific sites -> ntp.msn.com `CookiesBlockedForUrls": [ "ntp.msn.com" ]`
+- Default geolocation setting -> Enabled -> Don't allow any site to track users' physical location `DefaultGeolocationSetting: 2`
+- Control use of insecure content Exceptions -> Enabled -> Do not allow any sites to load mixed content `DefaultInsecureContentSetting: 2`
+- Configure cookies -> Enabled -> Keep cookies for the duration of the session, except ones listed in "SaveCookiesOnExit" `DefaultCookiesSetting: 4`
+- Default setting for third-party storage partitioning -> Let third-party storage partitioning to be enabled. `DefaultThirdPartyStoragePartitioningSetting: 1`
+- Control the use of File System API for reading -> Don't allow any site to request and read access to files and directories via the File System API `DefaultFileSystemReadGuardSetting: 2`
+- Control the use of File System API for writing -> Don't allow any site to request and write access to files and directories via the File System API `DefaultFileSystemWriteGuardSetting: 2`
+- Control use of the Web Bluetooth API -> Don't allow any site to request access to Bluetooth devices via the Web Bluetooth API `DefaultWebBluetoothGuardSetting: 2`
+- Allow notifications to set Microsoft Edge as default PDF reader -> Disabled `ShowPDFDefaultRecommendationsEnabled: false`

Group Policies Objects/Default Domain Policy/Microsoft Edge/README.md

@@ -0,0 +1,7 @@
+# Microsoft Edge
+
+`Computer Configuration\Policies\Administrative Templates\Microsoft Edge`
+
+You will need to download the Edge policies from https://www.microsoft.com/en-us/edge/business/download?form=MA13FJ and install it.
+
+SmartScreen and Typosquatting as recommeded settings doesn't seem to apply consistently, therefore I force them to be disabled in my Domain Default Policy.

Group Policies Objects/Default Domain Policy/Security Options.md

@@ -7,4 +7,4 @@ Documentation: https://learn.microsoft.com/en-us/windows/security/application-se
 - User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode -> Prompt for credentials
 - User Account Control: Only elevate executables that are signed and validated -> Enabled
 - User Account Control: Switch to the secure desktop when prompting for elevation -> Enabled (Docs says it is enabled by default, but it is off on my Parallels VM somehow)
-- Security setting -> Define -> Require signing (**Follow this guide to setup LDAPS if you do not have key server: https://www.dvolve.net/blog/2019/12/using-lets-encrypt-for-active-directory-domain-controller-certificates/**)
+- Network security: LDAP client signing requirements: Require signing (**Follow this guide to setup LDAPS if you do not have key server: https://www.dvolve.net/blog/2019/12/using-lets-encrypt-for-active-directory-domain-controller-certificates/**)

Group Policies Objects/Default Domain Policy/Windows Defender SmartScreen.md

@@ -1,6 +1,9 @@
 # Windows Defender SmartScreen
 
+**SmartScreen and features dependent on it disabled using this policy. It is quite invasive so I will only enable it for certain OUs.**
+
 `Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender SmartScreen`
 
-- Enhanced Phishing Protection -> Service Enabled -> Disabled (**Does not show on Windows Server 2022 by default**)
+- Enhanced Phishing Protection -> Service Enabled -> Disabled
+- Explorer -> Configure Windows Defender SmartScreen -> Disabled
 - Microsoft Edge -> Configure Windows Defender SmartScreen -> Disabled

Group Policies Objects/Gaming/Microsoft Account (Allow).md

@@ -0,0 +1,5 @@
+# Microsoft account
+
+`Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft account`
+
+- Block all consumer Microsoft account user authentication -> Disabled

Group Policies Objects/Gaming/Microsoft Defender (Gaming).md

@@ -0,0 +1,47 @@
+# Microsoft Edge
+
+`Computer Configuration\Policies\Administrative Templates\Microsoft Edge`
+
+- SmartScreen settings -> Configure Microsoft Defender SmartScreen -> Enabled
+- SmartScreen settings -> Configure Microsoft SmartScreen to block potentially unwanted apps -> Enabled
+- TyposuqattingChecker settings -> Configure Edge TyposquattingChecker -> Enabled
+
+
+# Microsoft Defender Antivirus
+
+## MAPS
+
+`Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus`
+- Join Microsoft MAPS -> Enabled -> Advanced Membership
+- Configure the 'Block at First Sight' feature -> Enabled
+- Send file samples when further analysis is required -> Enabled -> Always Prompt (Send safe sample works better with 'Block at First Sight, but I really, really do not trust Microsoft on this one)
+
+## Network Protection
+
+`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Microsoft Defender Exploit Guard\Network Protection`
+
+Only relevant if SmartScreen is used.
+
+Documentation:
+- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/network-protection?view=o365-worldwide
+- https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/enable-network-protection?view=o365-worldwide
+
+This settings controls whether Network protection is allowed to be configured into block or audit mode on Windows -> Enabled (Only relevant if running Windows Server)
+Prevent users and apps from accessing dangerous websites -> Enabled -> Block
+
+## MpEngine
+
+`Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\MpEngine`
+
+Only relevant if MAPS is used
+
+- Configure extended cloud check -> Specify the extended cloud check time in seconds -> 50
+- Select cloud protection level -> Zero tolerance blocking level
+
+
+# Windows Defender SmartScreen
+
+`Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender SmartScreen`
+
+- Explorer -> Configure Windows Defender SmartScreen -> Enabled -> Warn
+- Microsoft Edge -> Configure Windows Defender SmartScreen -> Enabled

Group Policies Objects/Gaming/Microsoft Defender Antivirus (Gaming).md

@@ -1,14 +0,0 @@
-# Microsoft Edge
-
-`Computer Configuration\Policies\Administrative Templates\Microsoft Edge`
-
-- SmartScreen settings -> Configure Microsoft Defender SmartScreen -> Enabled
-- SmartScreen settings -> Configure Microsoft SmartScreen to block potentially unwanted apps -> Enabled
-- TyposuqattingChecker settings -> Configure Edge TyposquattingChecker -> Enabled
-
-
-# Microsoft Defender Antivirus
-
-`Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Antivirus`
-
-- Join Microsoft MAPS -> Enabled -> Advanced Membership

Group Policies Objects/Gaming/Microsoft Office/Microsoft Account (Allow).md

@@ -0,0 +1,5 @@
+# Microsoft account
+
+`Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft account`
+
+- Block all consumer Microsoft account user authentication -> Disabled

Group Policies Objects/Gaming/Security Options (Gaming).md

@@ -0,0 +1,5 @@
+# Security Options
+
+`Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options`
+
+- User Account Control: Only elevate executables that are signed and validated -> Disabled