Settings reference for Microsoft HoloLens 2 standard security baseline for Microsoft Intune

Άρθρο
01/30/2025

This article is a reference for the settings that are available in the Microsoft HoloLens 2 standard security baseline for Microsoft Intune.

Tip

To view settings for the Microsoft HoloLens 2 advanced security baseline, see Settings reference for the Microsoft HoloLens 2 advanced security baseline for Microsoft Intune.

About this reference article

Each security baseline is a group of preconfigured Windows settings that help you apply and enforce granular security settings that the relevant security teams recommend. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration settings.

The details that display in this article are based on baseline version you select at the top of the article. For each version, this article displays:

A list of each setting with its configuration as found in the default instance of that baseline version.
When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use.

When a new version of a baseline becomes available, it replaces the previous version. Profile instances that were created before the availability of a new version:

Become read-only. You can continue to use those profiles but can't edit them to change their configuration.
Can be updated to the current version. After you update a profile to the current baseline version, you can edit the profile to modify settings.

To learn more about using security baselines, see:

HoloLens 2 Standard security baseline (version 1) - January 2025

Accounts

Allow Microsoft Account Connection
Baseline default: Block
Learn more

Administrative Templates

System > Power Management > Video and Display Settings

Turn off the display (plugged in)
Baseline default: Enabled
Learn more
- When plugged in, turn display off after (seconds)
  Baseline default: 30

Browser

Allow Cookies
Baseline default: Block only cookies from third party websites
Learn more
Allow Password Manager
Baseline default: Block
Learn more
Allow Smart Screen
Baseline default: Allow
Learn more

Connectivity

Allow USB Connection
Baseline default: Not allowed.
Learn more

Device Lock

Device Password Enabled
Baseline default: Enabled
Learn more
- Max Device Password Failed Attempts
  Baseline default: Not configured
  Learn more
- Allow Idle Return Without Password
  Baseline default: Not allowed.
  Learn more
- Alphanumeric Device Password Required
  Baseline default: Password or Numeric PIN required.
  Learn more
- Max Inactivity Time Device Lock
  Baseline default: Configured
  Value: 3
  Learn more
- Device Password History
  Baseline default: Not configured
  Learn more
- Allow Simple Device Password
  Baseline default: Not allowed.
  Learn more
- Device Password Expiration
  Baseline default: Not configured
  Learn more
- Min Device Password Length
  Baseline default: Configured
  Value: 8
  Learn more

Experience

Allow Manual MDM Unenrollment
Baseline default: Block
Learn more

Microsoft App Store

Allow All Trusted Apps
Baseline default: Explicit deny.
Learn more
Allow apps from the Microsoft app store to auto update
Baseline default: Allowed.
Learn more
Allow Developer Unlock
Baseline default: Explicit deny.
Learn more

Microsoft Edge

Block third party cookies
Baseline default: Enabled

Extensions

Control which extensions cannot be installed
Baseline default: Enabled
- Extension IDs the user should be prevented from installing (or * for all) (Device)
  Baseline default: *

Password manager and protection

Enable saving passwords to the password manager
Baseline default: Disabled

SmartScreen settings

Configure Microsoft Defender SmartScreen
Baseline default: Enabled

Mixed Reality

AAD Group Membership Cache Validity In Days
Baseline default: Configured
Value: 7
Learn more

Settings

Allow VPN
Baseline default: Not allowed.
Learn more
Page Visibility List
Baseline default: Configured
Value: hide:emailandaccounts;workplace;otherusers;bluetooth;usb;network-proxy;network-wifi;network-ethernet;network-airplanemode;powersleep;certificates;developers;windowsinsider;
Learn more

System

Allow Storage Card
Baseline default: SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card.
Learn more

Tenant Lockdown

Require Network In OOBE (Device)
Baseline default: True

Windows Hello For Business

Enable Pin Recovery
Baseline default: false
Learn more
Restrict use of TPM 1.2
Baseline default: Disabled
Learn more
Digits
Baseline default: Requires the use of at least one digits in PIN.
Learn more
Expiration
Baseline default: Configured
Value: 90
Learn more
PIN History
Baseline default: Configured
Value: 10 Learn more
Lowercase Letters
Baseline default: Allowed
Learn more
Maximum PIN Length
Baseline default: Configured
Value: 6
Learn more
Minimum PIN Length
Baseline default: Configured
Value: 6
Learn more
Special Characters
Baseline default: Allows the use of special characters in PIN.
Learn more
Uppercase Letters
Baseline default: Allowed
Learn more
Require Security Device
Baseline default: true
Learn more
Use Certificate For On Prem Auth
Baseline default: Disabled
Learn more
Use Hello Certificates As Smart Card Certificates
Baseline default: Disabled
Learn more
Use Windows Hello For Business (Device)
Baseline default: true
Learn more

Windows Update For Business

Allow Update Service
Baseline default: Allow
Learn more
Manage Preview Builds
Baseline default: Disable Preview builds
Learn more

Κοινή χρήση μέσω