HoloLens 2 security baselines

Important

Some of the policies used in this security baseline are introduced in our latest Insider build. These policies will only function on devices updated to the latest Insider build.

This article lists and describes the various security baseline settings you can configure on HoloLens 2 using Configuration Service Providers (CSP). As part of your mobile device management using Microsoft Endpoint Manager (formally known as Microsoft Intune), use the following standard or advanced security baseline settings depending on your organizational policies and needs. Use these security baseline settings to help protect your organizational resources.

  • Standard security baseline settings are applicable to all types of users irrespective of the use case scenario and industry vertical.
  • Advanced security baseline settings are recommended settings for users who have strict security controls of their environment, and require stringent security policies for devices used in their environment.

These security baseline settings are based on Microsoft’s best practice guidelines and experience gained in deploying and supporting HoloLens 2 devices to customers in various industries.

Once you've reviewed the security baseline and decided to use the one, both, or parts, then check out how to enable these security base lines

1. Standard security baseline settings

The following sections describe the recommended settings of each CSP as part of the standard security baseline profile.

1.1 Policy CSP

Policy Name Value Description
Accounts
Accounts/AllowMicrosoftAccountConnection 0 – Not Allowed Restrict the user to use an MSA account for non-email related connection authentication and services.
Application Management
ApplicationManagement/AllowAllTrustedApps 0 - Explicit deny Explicitly deny non Microsoft Store apps.
ApplicationManagement/AllowAppStoreAutoUpdate 1 – Allowed Allow automatic update of apps from Microsoft Store.
ApplicationManagement/AllowDeveloperUnlock 0 - Explicit deny Restrict the user to unlock developer mode, which allows the user to install apps on the device from an IDE.
Browser
Browser/AllowCookies 1 – Block only cookies from third party websites With this policy, you can configure Microsoft Edge to block only 3rd-party cookies or block all cookies.
Browser/AllowPasswordManager 0 – Not allowed Disallow Microsoft Edge to use the password manager.
Browser/AllowSmartScreen 1 – Turned on Turns on Windows Defender SmartScreen and prevent users from turning it off.
Connectivity
Connectivity/AllowUSBConnection 0 – Not allowed Disables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications.
Device Lock
DeviceLock/AllowIdleReturnWithoutPassword 0 – Not allowed Disallow return from idle without PIN or password.
DeviceLock/AllowSimpleDevicePassword 0 – Blocked Block PINs or passwords such as "1111" or "1234".
DeviceLock/AlphanumericDevicePasswordRequired 1 – Password or Numeric PIN required Require password or alphanumeric PIN.
DeviceLock/DevicePasswordEnabled 0 – Enabled Device lock is enabled.
DeviceLock/MaxInactivityTimeDeviceLock An integer X where 0 < X < 999 Recommended value: 3 Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked.
DeviceLock/MinDevicePasswordComplexCharacters 1 - Digits only The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
DeviceLock/MinDevicePasswordLength An integer X where 4 < X < 16 for client devicesRecommended value: 8 Specifies the minimum number or characters required in the PIN or password.
MDM Enrollment
Experience/AllowManualMDMUnenrollment 0 – Not allowed Disallow the user to delete the workplace account using the workplace control panel.
Identity
MixedReality/AADGroupMembershipCacheValidityInDays Number of days the cache to be validRecommended value: 7 days Number of days the Azure AD group membership cache should be valid.
Power
Power/DisplayOffTimeoutPluggedIn Idle time in number of secondsRecommended values: 60 secs Allows you to specify the period of inactivity before Windows turns off the display.
Settings
Settings/AllowVPN 0 – Not allowed Disallow the user to change VPN settings.
Settings/PageVisibilityList Shortened name of the pages that are visible to the user. Will provide a UI to select or unselect the page names. See comments for recommended pages to hide. Allow only listed pages to be displayed to the user in Settings app.
System
System/AllowStorageCard 0 – Not allowed SD card use isn't allowed and USB drives are disabled. This setting doesn't prevent programmatic access to the storage card.
Updates
Update/AllowUpdateService 1 – Allowed Allow access to Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store.
Update/ManagePreviewBuilds 0 - Disable Preview builds Disallow preview builds to be installed on the device.

1.2 ClientCertificateInstall CSP

We recommend configuring this CSP as a best practice but don't have recommendations for specific values for each node in this CSP.

1.3 PassportForWork CSP

Node Name Value Description
Tenant ID TenantId A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management.
TenantId/Policies/UsePassportForWork True Sets Windows Hello for Business as a method for signing into Windows.
TenantId/Policies/RequireSecurityDevice True Requires a Trusted Platform Module (TPM) for Windows Hello for Business.
TenantId/Policies/ExcludeSecurityDevices/TPM12 False TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.
TenantId/Policies/EnablePinRecovery False PIN recovery secret won't be created or stored.
TenantId/Policies/UseCertificateForOnPremAuth False PIN will be provisioned when the user logs in, without waiting for a certificate payload.
TenantId/Policies/PINComplexity/MinimumPINLength 6 PIN length must be greater than or equal to this number.
TenantId/Policies/PINComplexity/MaximumPINLength 6 PIN length must be less than or equal to this number.
TenantId/Policies/PINComplexity/UppercaseLetters 2 Digits are required and all other character sets aren't allowed.
TenantId/Policies/PINComplexity/LowercaseLetters 2 Digits are required and all other character sets aren't allowed.
TenantId/Policies/PINComplexity/SpecialCharacters 2 Doesn't allow the use of special characters in PIN.
TenantId/Policies/PINComplexity/Digits 0 Allows the use of digits in PIN.
TenantId/Policies/PINComplexity/History 10 Number of past PINs that can be associated to a user account that can't be reused.
TenantId/Policies/PINComplexity/Expiration 90 Period of time (in days) that a PIN can be used before the system requires the user to change it.
TenantId/Policies/UseHelloCertificatesAsSmartCardCertificates False Applications don't use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key.

1.4 RootCATrustedCertificates CSP

We recommend configuring Root, CA, TrustedPublisher and TrustedPeople nodes in this CSP as a best practice but won't recommend on specific values for each node in this CSP.

1.5 TenantLockdown CSP

Node Name Value Description
RequireNetworkInOOBE True When the device goes through OOBE at first sign-in or after a reset, the user is required to choose a network before proceeding. There's no "skip for now" option. This option ensures that the device remains bound to the tenant in case of accidental or intentional resets or wipes.

1.6 VPNv2 CSP

We recommend configuring this CSP as a best practice, but we don't have recommendations for specific values for each node in this CSP. Most of the settings are related to the customer environment.

1.7 WiFi CSP

We recommend configuring this CSP as a best practice, but we don't have recommendations for specific values for each node in this CSP. Most of the settings are related to the customer environment.

2 Advanced security baseline settings

The following sections describe the recommended settings of each CSP as part of the advanced security baseline profile.

2.1 Policy CSP

Policy Name Value Description
Accounts
Accounts/AllowMicrosoftAccountConnection 0 – Not Allowed Restrict the user to use an MSA account for non-email related connection authentication and services.
Application Management
ApplicationManagement/AllowAllTrustedApps 0 - Explicit deny Explicitly deny non-Microsoft Store apps.
ApplicationManagement/AllowAppStoreAutoUpdate 1 – Allowed Allow automatic update of apps from Microsoft Store.
ApplicationManagement/AllowDeveloperUnlock 0 - Explicit deny Restrict the user to unlock developer mode, which allows the user to install apps on the device from an IDE.
Authentication
Authentication/AllowFastReconnect 0 – Not allowed Disallow EAP Fast Reconnect from being attempted for EAP Method TLS.
Bluetooth
Bluetooth/AllowDiscoverableMode 0 – Not allowed Other devices won't be able to detect this device.
Browser
Browser/AllowAutofill 0 – Prevented/not allowed Prevent users using the Autofill feature to populate the form fields in Microsoft Edge automatically.
Browser/AllowCookies 1 – Block only cookies from third party websites Block only cookies from third party websites.
Browser/AllowDoNotTrack 0 - Never send tracking information Never send tracking information.
Browser/AllowPasswordManager 0 – Not allowed Disallow Microsoft Edge to use the password manager.
Browser/AllowPopups 1 – Turn on Pop-up Blocker Turn on Pop-up Blocker stopping pop-up windows from opening.
Browser/AllowSearchSuggestionsinAddressBar 0 – Prevented/not allowed Hide search suggestions in the Address bar of Microsoft Edge.
Browser/AllowSmartScreen 1 – Turned on Turns on Windows Defender SmartScreen and prevent users from turning it off.
Connectivity
Connectivity/AllowBluetooth 0 – Disallow Bluetooth The bluetooth control panel will be grayed out and the user won't be able to turn on Bluetooth.
Connectivity/AllowUSBConnection 0 – Not allowed Disables USB connection between the device and a computer to sync files with the device or to use developer tools to deploy or debug applications.
Device Lock
DeviceLock/AllowIdleReturnWithoutPassword 0 – Not allowed Disallow return from idle without PIN or password.
DeviceLock/AllowSimpleDevicePassword 0 – Blocked Block PINs or passwords such as "1111" or "1234".
DeviceLock/AlphanumericDevicePasswordRequired 0 – Password or Alphanumeric PIN required Require password or alphanumeric PIN.
DeviceLock/DevicePasswordEnabled 0 – Enabled Device lock is enabled.
DeviceLock/DevicePasswordHistory An integer X where 0 < X < 50Recommended value: 15 Specifies how many passwords can be stored in the history that can't be used.
DeviceLock/MaxDevicePasswordFailedAttempts An integer X where 4 < X < 16 for client devicesRecommended value: 10 The number of authentication failures allowed before the device will be wiped.
DeviceLock/MaxInactivityTimeDeviceLock An integer X where 0 < X < 999 Recommended value: 3 Specifies the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked.
DeviceLock/MinDevicePasswordComplexCharacters 3 - Digits, lowercase letters, and uppercase letters are required The number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password.
DeviceLock/MinDevicePasswordLength An integer X where 4 < X < 16 for client devicesRecommended value: 12 Specifies the minimum number or characters required in the PIN or password.
MDM Enrollment
Experience/AllowManualMDMUnenrollment 0 – Not allowed Disallow the user to delete the workplace account using the workplace control panel.
Identity
MixedReality/AADGroupMembershipCacheValidityInDays Number of days the cache to be validRecommended value: 7 days Number of days the Azure AD group membership cache should be valid.
Power
Power/DisplayOffTimeoutPluggedIn Idle time in number of secondsRecommended values: 60 secs Allows you to specify the period of inactivity before Windows turns off the display.
Privacy
Privacy/LetAppsAccess
AccountInfo
2 - Force deny Denies Windows apps access to account information.
Privacy/LetAppsAccess
AccountInfo_ForceAllowTheseApps
List of semi-colon delimited Package Family Names of Windows apps Listed Windows apps are allowed access to account information.
Privacy/LetAppsAccess
AccountInfo_ForceDenyTheseApps
List of semi-colon delimited Package Family Names of Windows apps Listed Windows apps are denied access to account information.
Privacy/LetAppsAccess
AccountInfo_UserInControlOfTheseApps
List of semi-colon delimited Package Family Names of Windows apps The user is able to control the account information privacy setting for the listed Windows apps.
Privacy/LetAppsAccess
BackgroundSpatialPerception
2 - Force deny Deny Windows apps access to the movement of the user's head, hands, motion controllers, and other tracked objects, while the apps are running in the background.
Privacy/LetAppsAccess
BackgroundSpatialPerception_ForceAllowTheseApps
List of semi-colon delimited Package Family Names of Windows Store Apps Listed apps are allowed access to the user's movements while the apps are running in the background.
Privacy/LetAppsAccess
BackgroundSpatialPerception_ForceDenyTheseApps
List of semi-colon delimited Package Family Names of Windows Store Apps Listed apps are denied access to the user's movements while the apps are running in the background.
Privacy/LetAppsAccess
sBackgroundSpatialPerception_UserInControlOfTheseApps
List of semi-colon delimited Package Family Names of Windows Store Apps The user is able to control the user movements privacy setting for the listed apps.
Privacy/LetAppsAccess
Microphone_ForceDenyTheseApps
List of semi-colon delimited Package Family Names of Microsoft Store Apps Listed apps are denied access to the microphone.
Privacy/LetAppsAccess
Microphone_UserInControlOfTheseApps
List of semi-colon delimited Package Family Names of Microsoft Store Apps The user is able to control the microphone privacy setting for the listed apps.
Search
Search/AllowSearchToUseLocation 0 – Not allowed Disallow search to use location information.
Security
Security/AllowAddProvisioningPackage 0 – Not allowed Disallow the runtime configuration agent to install provisioning packages.
Settings
Settings/AllowVPN 0 – Not allowed Disallow the user to change VPN settings.
Settings/PageVisibilityList Shortened name of the pages that are visible to the userWill provide a UI to select or unselect the page names. See comments for recommended pages to hide. Allow only listed pages to be displayed to the user in Settings app.
System
System/AllowStorageCard 0 – Not allowed SD card use isn't allowed and USB drives are disabled. This setting doesn't prevent programmatic access to the storage card.
System/AllowTelemetry 0 - Not allowed Disallow device to send diagnostic and usage telemetry data, such as Watson.
Updates
Update/AllowUpdateService 1 – Allowed Allow access to Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store.
Update/ManagePreviewBuilds 0 - Disable Preview builds Disallow preview builds to be installed on the device.
Wi-Fi
Wifi/AllowManualWiFiConfiguration 0 – Not allowed Disallow connecting to Wi-Fi outside of MDM server-installed networks.

2.2 AccountManagement CSP

Node Name Value Description
UserProfileManagement/EnableProfileManager True Enable profile lifetime management for shared or communal device scenarios.
UserProfileManagement/DeletionPolicy 2 - delete at both storage capacity threshold and profile inactivity threshold Configures when profiles will be deleted.
UserProfileManagement/StorageCapacityStartDeletion 25% Start deleting profiles when available storage capacity falls below this threshold, given as percent of total storage available for profiles. Profiles that have been inactive the longest will be deleted first.
UserProfileManagement/StorageCapacityStopDeletion 50% Stop deleting profiles when available storage capacity is brought up to this threshold, given as percent of total storage available for profiles.
UserProfileManagement/ProfileInactivityThreshold 30 Start deleting profiles when they haven't been logged on during the specified period, given as number of days.

2.3 ApplicationControl CSP

Node Name Value Description
Policies/Policy GUID Policy ID in the policy blob Policy ID in the policy blob.
Policies/Policy GUID/Policy Policy blob Policy binary blob encoded in base64.

2.4 ClientCertificateInstall CSP

We recommend configuring this CSP as a best practice but don't have recommendations for specific values for each node in this CSP.

2.5 PassportForWork CSP

Node Name Value Description
Tenant ID TenantId A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management.
TenantId/Policies/UsePassportForWork True Sets Windows Hello for Business as a method for signing into Windows.
TenantId/Policies/RequireSecurityDevice True Requires a Trusted Platform Module (TPM) for Windows Hello for Business.
TenantId/Policies/ExcludeSecurityDevices/TPM12 False TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.
TenantId/Policies/EnablePinRecovery False PIN recovery secret will not be created or stored.
TenantId/Policies/UseCertificateForOnPremAuth False PIN will be provisioned when the user logs in, without waiting for a certificate payload.
TenantId/Policies/PINComplexity/MinimumPINLength 6 PIN length must be greater than or equal to this number.
TenantId/Policies/PINComplexity/MaximumPINLength 6 PIN length must be less than or equal to this number.
TenantId/Policies/PINComplexity/UppercaseLetters 2 Digits are required and all other character sets are not allowed.
TenantId/Policies/PINComplexity/LowercaseLetters 2 Digits are required and all other character sets are not allowed.
TenantId/Policies/PINComplexity/SpecialCharacters 2 Does not allow the use of special characters in PIN.
TenantId/Policies/PINComplexity/Digits 0 Allows the use of digits in PIN.
TenantId/Policies/PINComplexity/History 10 Number of past PINs that can be associated to a user account that can't be reused.
TenantId/Policies/PINComplexity/Expiration 90 Period of time (in days) that a PIN can be used before the system requires the user to change it.
TenantId/Policies/UseHelloCertificatesAsSmartCardCertificates False Applications do not use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key.

2.6 RootCATrustedCertificates CSP

We recommend configuring Root, CA, TrustedPublisher and TrustedPeople nodes in this CSP as a best practice but will not recommend on specific values for each node in this CSP.

2.7 TenantLockdown CSP

Node Name Value Description
RequireNetworkInOOBE True When the device goes through OOBE at first logon or after a reset, the user is required to choose a network before proceeding. There is no "skip for now" option. This ensures that the device remains bound to the tenant in case of accidental or intentional resets or wipes.

2.8 VPNv2 CSP

We recommend configuring VPN profiles as a best practice but will not recommend on specific values for each node in this CSP. Most of the settings are related to customer environment.

2.9 WiFi CSP

We recommend configuring WiFi profiles as a best practice but will not recommend on specific values for each node in this CSP. Most of the settings are related to the customer environment.

How to enable these security base lines

  1. Review the security baseline, and decide what to apply.
  2. Determine the Azure Groups that you'll assign the baseline to. (More on users and groups)
  3. Create the baseline.

Here's how to create the baseline.

Many of the settings can be added by using the Settings catalog, however there may sometimes be a setting that hasn't yet been populated to the Settings catalog. In those cases, you'll use a Custom policy, or OMA-URI (Open Mobile Alliance - Uniform Resource Identifier). Start by looking in the Settings catalog, and if it's not found this follow the instructions below for creating a custom policy via OMA-URI.

Settings catalog

Log into your account on the MEM admin center.

  1. Navigate to Devices -> Configuration profiles -> +Create profile. For Platform, select Windows 10 and later, and for profile type select Settings catalog (preview).
  2. Create a name for the profile, and select the Next button.
  3. On the Configuration settings screen select + Add settings.

Using the name of the policy from the baseline above, you can search for the policy. The settings catalog will space out the name, so to find "Accounts/AllowMicrosoftAccountConnection" you'll need to search "Allow Microsoft Account Connection". After you search you'll see the list of policies reduce to just the CSP which has this policy. Select Accounts (or the relevant CSP to what you are current searching), once you do you'll see the policy result below. Check the box for the policy.

Screenshot of the settings picker option.

Once done, the panel on the left will add the CSP category, and the setting that you added. From here you can configure it from the default setting, to one more secure.

Screenshot of the settings catalog.

You can continue to keep adding multiple configurations to the same profile, which will make it easier to assign at once.

Adding custom OMA-URI policies

Some policies may not be available in the Settings catalog yet. For these you'll need to create a custom OMA-URI profile.Log into your account on the MEM admin center.

  1. Navigate to Devices -> Configuration profiles -> +Create profile. For Platform, select Windows 10 and later, and for profile type select Templates and select Custom.
  2. Create a name for the profile, and select the Next button.
  3. Select the Add button.

You'll need to fill out a few fields.

  • Name, you may name it anything you need related to the policy. This can be a shorthand name you use to recognize it.
  • Description will be more details you might need.
  • The OMA-URI will be the full OMA-URI string where the policy is. Example: ./Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays
  • Data type is the type of value this policy accepts. For this example it's a number between 0 and 60, so Integer was selected.
  • Once you select the data type, you'll be able to write out, or upload, the value needed into the field.

Screenshot of OMA-URI configuring.

Once done, your policy will be added to the main window. You can continue adding all your custom policies to the same custom configuration. This helps reduce managing multiple device configurations and makes assignment easier.

Screenshot of OMA-URI configuration.