Settings reference for Microsoft HoloLens 2 advanced security baseline for Microsoft Intune

This article is a reference for the settings that are available in the Microsoft HoloLens 2 advanced security baseline for Microsoft Intune.

Tip

To view settings for the Microsoft HoloLens 2 standard security baseline, see Settings reference for the Microsoft HoloLens 2 standard security baseline for Microsoft Intune.

About this reference article

Each security baseline is a group of preconfigured Windows settings that help you apply and enforce granular security settings that the relevant security teams recommend. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration settings.

The details that display in this article are based on baseline version you select at the top of the article. For each version, this article displays:

• A list of each setting with its configuration as found in the default instance of that baseline version.
• When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use.

When a new version of a baseline becomes available, it replaces the previous version. Profile instances that were created before the availability of a new version:

• Become read-only. You can continue to use those profiles but can't edit them to change their configuration.
• Can be updated to the current version. After you update a profile to the current baseline version, you can edit the profile to modify settings.

To learn more about using security baselines, see:

• Use security baselines
• Change the baseline version for a profile
• Manage security baselines

HoloLens 2 Advanced security baseline for (version 1) - January 2025

Account Management

• Deletion Policy
  Baseline default: Delete at both storage capacity threshold and profile inactivity threshold
  Learn more

• Enable Profile Manager
  Baseline default: True
  Learn more

• Profile Inactivity Threshold
  Baseline default: Configured
  Value: 30 Learn more

• Storage Capacity Start Deletion
  Baseline default: Configured
  Value: 25 Learn more

• Storage Capacity Stop Deletion
  Baseline default: Configured
  Value: 50 Learn more

Accounts

• Allow Microsoft Account Connection
  Baseline default: Block
  Learn more

Administrative Templates

System > Power Management > Video and Display Settings

• Turn off the display (plugged in)
  Baseline default: Enabled
  Learn more

  • When plugged in, turn display off after (seconds)
    Baseline default: 30

Browser

• Allow Autofill
  Baseline default: Block
  Learn more

• Allow Cookies
  Baseline default: Block only cookies from third party websites
  Learn more

• Allow Do Not Track
  Baseline default: Block
  Learn more

• Allow Password Manager
  Baseline default: Block
  Learn more

• Allow Popups
  Baseline default: Block
  Learn more

• Allow Search Suggestions in Address Bar
  Baseline default: Block
  Learn more

• Allow Smart Screen
  Baseline default: Allow
  Learn more

Connectivity

• Allow Bluetooth
  Baseline default: Disallow Bluetooth. The radio in the Bluetooth control panel will be grayed out and the user will not be able to turn Bluetooth on.
  Learn more

• Allow USB Connection
  Baseline default: Not allowed.
  Learn more

Device Lock

• Device Password Enabled
  Baseline default: Enabled
  Learn more

  • Max Device Password Failed Attempts
    Baseline default: Configured
    Value: 10
    Learn more

  • Allow Idle Return Without Password
    Baseline default: Not allowed.
    Learn more

  • Alphanumeric Device Password Required
    Baseline default: Password or Numeric PIN required.
    Learn more

  • Max Inactivity Time Device Lock
    Baseline default: Configured
    Value: 3
    Learn more

  • Device Password History
    Baseline default: Configured
    Value: 15
    Learn more

  • Allow Simple Device Password
    Baseline default: Not allowed.
    Learn more

  • Device Password Expiration
    Baseline default: Not configured
    Learn more

  • Min Device Password Length
    Baseline default: Configured
    Value: 12
    Learn more

Experience

• Allow Manual MDM Unenrollment
  Baseline default: Block
  Learn more

Microsoft App Store

• Allow All Trusted Apps
  Baseline default: Explicit deny.
  Learn more

• Allow apps from the Microsoft app store to auto update
  Baseline default: Allowed.
  Learn more

• Allow Developer Unlock
  Baseline default: Explicit deny.
  Learn more

Microsoft Edge

• Block third party cookies
  Baseline default: Enabled

• Configure Do Not Track
  Baseline default: Disabled

• Enable AutoFill for addresses
  Baseline default: Disabled

• Enable AutoFill for payment instruments
  Baseline default: Disabled

• Enable search suggestions
  Baseline default: Disabled

Content settings

• Default pop-up window setting
  Baseline default: Enabled

  • Default pop-up window setting (Device) Baseline default: Do not allow any site to show popups

Extensions

• Control which extensions cannot be installed
  Baseline default: Enabled

  • Extension IDs the user should be prevented from installing (or * for all) (Device)
    Baseline default: *

Password manager and protection

• Configures a setting that asks users to enter their device password while using password autofill
  Baseline default: Enabled

  • Configures a setting that asks users to enter their device password while using password autofill (Device)
    Baseline default: Autofill off

• Enable saving passwords to the password manager
  Baseline default: Disabled

SmartScreen settings

• Configure Microsoft Defender SmartScreen
  Baseline default: Enabled

Mixed Reality

• AAD Group Membership Cache Validity In Days
  Baseline default: Configured
  Value: 7
  Learn more

Privacy

• Let Apps Access Account Info
  Baseline default: Force deny.
  Learn more

• Let Apps Access Account Info Force Allow These Apps
  Baseline default: Configured
  Values:

  • Microsoft.Dynamics365.Guides_8wekyb3d8bbwe
  • Microsoft.MicrosoftRemoteAssist_8wekyb3d8bbwe

  Learn more

• Let Apps Access Background Spatial Perception
  Baseline default: Force deny.
  Learn more

• Let Apps Access Background Spatial Perception Force Allow These Apps
  Baseline default: Configured

  • Microsoft.Dynamics365.Guides_8wekyb3d8bbwe
  • Microsoft.MicrosoftRemoteAssist_8wekyb3d8bbwe

  Learn more

• Let Apps Access Camera
  Baseline default: Force deny.
  Learn more

• Let Apps Access Camera Force Allow These Apps
  Baseline default: Configured
  Values:

  • Microsoft.Dynamics365.Guides_8wekyb3d8bbwe
  • Microsoft.MicrosoftRemoteAssist_8wekyb3d8bbwe

  Learn more

• Let Apps Access Microphone
  Baseline default: Force deny.
  Learn more

• Let Apps Access Microphone Force Allow These Apps
  Baseline default: Configured
  Values:

  • Microsoft.Dynamics365.Guides_8wekyb3d8bbwe
  • Microsoft.MicrosoftRemoteAssist_8wekyb3d8bbwe

  Learn more

Search

• Allow Search To Use Location
  Baseline default: Block
  Learn more

Security

• Allow Add Provisioning Package
  Baseline default: Block
  Learn more

Settings

• Allow VPN
  Baseline default: Not allowed.
  Learn more

• Page Visibility List
  Baseline default: Configured
  Value: hide:emailandaccounts;workplace;otherusers;bluetooth;usb;network-proxy;network-wifi;network-ethernet;network-airplanemode;powersleep;certificates;developers;windowsinsider;
  Learn more

System

• Allow Storage Card
  Baseline default: SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card.
  Learn more

• Allow Telemetry
  Baseline default: Security
  Learn more

Tenant Lockdown

• Require Network In OOBE (Device)
  Baseline default: True

Wi-Fi Settings

• Allow Manual Wi Fi Configuration
  Baseline default: Allow
  Learn more

Important

Allow or block connections to Wi-Fi outside of MDM server-installed networks. If you change this setting to Block, you must deploy enterprise Wi-Fi profiles to the device using the Wi-Fi CSP before you apply this setting. Otherwise, the device will go offline since it won't be able to connect to Wi-Fi. Note that choosing to block Wi-Fi connections will delete any previously installed user-configured Wi-Fi profiles from the device, though not all non-MDM profiles will be deleted.

Windows Hello For Business

• Enable Pin Recovery
  Baseline default: False
  Learn more

• Restrict use of TPM 1.2
  Baseline default: Disabled
  Learn more

• Digits
  Baseline default: Requires the use of at least one digits in PIN.
  Learn more

• Expiration
  Baseline default: Configured
  Value: 90
  Learn more

• PIN History
  Baseline default: Configured
  Value: 10 Learn more

• Lowercase Letters
  Baseline default: Required
  Learn more

• Maximum PIN Length
  Baseline default: Configured
  Value: 6
  Learn more

• Minimum PIN Length
  Baseline default: Configured
  Value: 6
  Learn more

• Special Characters
  Baseline default: Requires the use of at least one special characters in PIN.
  Learn more

• Uppercase Letters
  Baseline default: Required
  Learn more

• Require Security Device
  Baseline default: True
  Learn more

• Use Certificate For On Prem Auth
  Baseline default: Disabled
  Learn more

• Use Hello Certificates As Smart Card Certificates
  Baseline default: Disabled
  Learn more

• Use Windows Hello For Business (Device)
  Baseline default: True
  Learn more

Windows Update For Business

• Allow Update Service
  Baseline default: Allow
  Learn more

• Manage Preview Builds
  Baseline default: Disable Preview builds
  Learn more

Learn more

• Learn about security baselines
• Avoid conflicts
• Troubleshoot policies and profiles in Intune