| title | List of settings for the Microsoft HoloLens 2 advanced security baseline in Intune | ||
|---|---|---|---|
| description | View a list of the settings in the Microsoft Intune advanced security baseline for Microsoft HoloLens 2. This list includes the default values for settings as found in the default configuration of the baseline. | ||
| ms.date | 01/27/2025 | ||
| ms.topic | reference | ||
| ms.reviewer | aanavath | ||
| ms.collection |
|
This article is a reference for the settings that are available in the Microsoft HoloLens 2 advanced security baseline for Microsoft Intune.
Tip
To view settings for the Microsoft HoloLens 2 standard security baseline, see Settings reference for the Microsoft HoloLens 2 standard security baseline for Microsoft Intune.
Each security baseline is a group of preconfigured Windows settings that help you apply and enforce granular security settings that the relevant security teams recommend. You can also customize each baseline you deploy to enforce only those settings and values you require. When you create a security baseline profile in Intune, you're creating a template that consists of multiple device configuration settings.
The details that display in this article are based on baseline version you select at the top of the article. For each version, this article displays:
- A list of each setting with its configuration as found in the default instance of that baseline version.
- When available, a link to the underlying configuration service provider (CSP) documentation or other related content from the relevant product group that provides context and possibly additional details for a settings use.
When a new version of a baseline becomes available, it replaces the previous version. Profile instances that were created before the availability of a new version:
- Become read-only. You can continue to use those profiles but can't edit them to change their configuration.
- Can be updated to the current version. After you update a profile to the current baseline version, you can edit the profile to modify settings.
To learn more about using security baselines, see:
-
Deletion Policy
Baseline default: Delete at both storage capacity threshold and profile inactivity threshold
Learn more -
Enable Profile Manager
Baseline default: True
Learn more -
Profile Inactivity Threshold
Baseline default: Configured
Value: 30
Learn more -
Storage Capacity Start Deletion
Baseline default: Configured
Value: 25
Learn more -
Storage Capacity Stop Deletion
Baseline default: Configured
Value: 50
Learn more
- Allow Microsoft Account Connection
Baseline default: Block
Learn more
-
Turn off the display (plugged in)
Baseline default: Enabled
Learn more- When plugged in, turn display off after (seconds)
Baseline default: 30
- When plugged in, turn display off after (seconds)
-
Allow Autofill
Baseline default: Block
Learn more -
Allow Cookies
Baseline default: Block only cookies from third party websites
Learn more -
Allow Do Not Track
Baseline default: Block
Learn more -
Allow Password Manager
Baseline default: Block
Learn more -
Allow Popups
Baseline default: Block
Learn more -
Allow Search Suggestions in Address Bar
Baseline default: Block
Learn more -
Allow Smart Screen
Baseline default: Allow
Learn more
-
Allow Bluetooth
Baseline default: Disallow Bluetooth. The radio in the Bluetooth control panel will be grayed out and the user will not be able to turn Bluetooth on.
Learn more -
Allow USB Connection
Baseline default: Not allowed.
Learn more
-
Device Password Enabled
Baseline default: Enabled
Learn more-
Max Device Password Failed Attempts
Baseline default: Configured
Value: 10
Learn more -
Allow Idle Return Without Password
Baseline default: Not allowed.
Learn more -
Alphanumeric Device Password Required
Baseline default: Password or Numeric PIN required.
Learn more -
Max Inactivity Time Device Lock
Baseline default: Configured
Value: 3
Learn more -
Device Password History
Baseline default: Configured
Value: 15
Learn more -
Allow Simple Device Password
Baseline default: Not allowed.
Learn more -
Device Password Expiration
Baseline default: Not configured
Learn more -
Min Device Password Length
Baseline default: Configured
Value: 12
Learn more
-
- Allow Manual MDM Unenrollment
Baseline default: Block
Learn more
-
Allow All Trusted Apps
Baseline default: Explicit deny.
Learn more -
Allow apps from the Microsoft app store to auto update
Baseline default: Allowed.
Learn more -
Allow Developer Unlock
Baseline default: Explicit deny.
Learn more
-
Block third party cookies
Baseline default: Enabled -
Configure Do Not Track
Baseline default: Disabled -
Enable AutoFill for addresses
Baseline default: Disabled -
Enable AutoFill for payment instruments
Baseline default: Disabled -
Enable search suggestions
Baseline default: Disabled
-
Default pop-up window setting
Baseline default: Enabled- Default pop-up window setting (Device)
Baseline default: Do not allow any site to show popups
- Default pop-up window setting (Device)
-
Control which extensions cannot be installed
Baseline default: Enabled- Extension IDs the user should be prevented from installing (or * for all) (Device)
Baseline default: *
- Extension IDs the user should be prevented from installing (or * for all) (Device)
-
Configures a setting that asks users to enter their device password while using password autofill
Baseline default: Enabled- Configures a setting that asks users to enter their device password while using password autofill (Device)
Baseline default: Autofill off
- Configures a setting that asks users to enter their device password while using password autofill (Device)
-
Enable saving passwords to the password manager
Baseline default: Disabled
- Configure Microsoft Defender SmartScreen
Baseline default: Enabled
- AAD Group Membership Cache Validity In Days
Baseline default: Configured
Value: 7
Learn more
-
Let Apps Access Account Info
Baseline default: Force deny.
Learn more -
Let Apps Access Account Info Force Allow These Apps
Baseline default: Configured Values:- Microsoft.Dynamics365.Guides_8wekyb3d8bbwe
- Microsoft.MicrosoftRemoteAssist_8wekyb3d8bbwe
-
Let Apps Access Background Spatial Perception
Baseline default: Force deny.
Learn more -
Let Apps Access Background Spatial Perception Force Allow These Apps
Baseline default: Configured- Microsoft.Dynamics365.Guides_8wekyb3d8bbwe
- Microsoft.MicrosoftRemoteAssist_8wekyb3d8bbwe
-
Let Apps Access Camera
Baseline default: Force deny.
Learn more -
Let Apps Access Camera Force Allow These Apps
Baseline default: Configured
Values:- Microsoft.Dynamics365.Guides_8wekyb3d8bbwe
- Microsoft.MicrosoftRemoteAssist_8wekyb3d8bbwe
-
Let Apps Access Microphone
Baseline default: Force deny.
Learn more -
Let Apps Access Microphone Force Allow These Apps
Baseline default: Configured
Values:- Microsoft.Dynamics365.Guides_8wekyb3d8bbwe
- Microsoft.MicrosoftRemoteAssist_8wekyb3d8bbwe
- Allow Search To Use Location
Baseline default: Block
Learn more
- Allow Add Provisioning Package
Baseline default: Block
Learn more
-
Allow VPN
Baseline default: Not allowed.
Learn more -
Page Visibility List
Baseline default: Configured
Value: hide:emailandaccounts;workplace;otherusers;bluetooth;usb;network-proxy;network-wifi;network-ethernet;network-airplanemode;powersleep;certificates;developers;windowsinsider;
Learn more
-
Allow Storage Card
Baseline default: SD card use is not allowed and USB drives are disabled. This setting does not prevent programmatic access to the storage card.
Learn more -
Allow Telemetry
Baseline default: Security
Learn more
- Require Network In OOBE (Device)
Baseline default: True
- Allow Manual Wi Fi Configuration
Baseline default: Allow
Learn more
Important
Allow or block connections to Wi-Fi outside of MDM server-installed networks. If you change this setting to Block, you must deploy enterprise Wi-Fi profiles to the device using the Wi-Fi CSP before you apply this setting. Otherwise, the device will go offline since it won't be able to connect to Wi-Fi. Note that choosing to block Wi-Fi connections will delete any previously installed user-configured Wi-Fi profiles from the device, though not all non-MDM profiles will be deleted.
-
Enable Pin Recovery
Baseline default: False
Learn more -
Restrict use of TPM 1.2
Baseline default: Disabled
Learn more -
Digits
Baseline default: Requires the use of at least one digits in PIN.
Learn more -
Expiration
Baseline default: Configured
Value: 90
Learn more -
PIN History
Baseline default: Configured
Value: 10
Learn more -
Lowercase Letters
Baseline default: Required
Learn more -
Maximum PIN Length
Baseline default: Configured
Value: 6
Learn more -
Minimum PIN Length
Baseline default: Configured
Value: 6
Learn more -
Special Characters
Baseline default: Requires the use of at least one special characters in PIN.
Learn more -
Uppercase Letters
Baseline default: Required
Learn more -
Require Security Device
Baseline default: True
Learn more -
Use Certificate For On Prem Auth
Baseline default: Disabled
Learn more -
Use Hello Certificates As Smart Card Certificates
Baseline default: Disabled
Learn more -
Use Windows Hello For Business (Device)
Baseline default: True
Learn more
-
Allow Update Service
Baseline default: Allow
Learn more -
Manage Preview Builds
Baseline default: Disable Preview builds
Learn more