Windows v3.8 - 2026-04-16 - IR40 Edition 🎂

Added 🆕

Settings Catalog

🆕Win - OIB - SC - Network Security - D - Disable NTLM - v3.8

• Added 3 settings to disable NTLM authentication and traffic across the board, following the Microsoft guidance on Disabling NTLM:
  • Network Security LAN Manager Authentication Level - Send NTLMv2 responses only. Refuse LM and NTLM
  • Network Security Restrict NTLM Incoming NTLM Traffic - Deny all accounts
  • Network Security Restrict NTLM Outgoing NTLM Traffic To Remote Servers - Deny all accounts

As of June 2024, NTLM has been marked as deprecated, NTLMv1 has been removed from Windows 11 24H2+, and will soon be disabled by default: Advancing Windows security: Disabling NTLM by default.

🆕Win - OIB - SC - Windows User Experience - D - Automatic Restart Sign-On - v3.8

• The following settings have been moved out of the Login and Lock Screen policy and into their own policy to make them easier to find and manage:
  • Sign-in and lock last interactive user automatically after a restart - Enabled
  • Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot - Enabled
    • Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot - Enabled if BitLocker is on and not suspended

Automatic Restart Sign-On (ARSO) is a great user experience feature that allows users to be automatically signed back in after a restart or cold boot, which is particularly useful for devices that are configured to auto-update outside of active hours. I have attempted to balance the user experience benefits of this feature with the security implications by ensuring this only happens if BitLocker is on and not suspended, though use your own judgement in your environment.

The primary reason for moving these settings out is that ARSO has to be explicitly disabled if you want to implement Personal Data Encryption (PDE). Splitting these policies makes decision-making on security choices easier and more managable. Resolves #141

Endpoint Security

🆕Win - OIB - ES - Windows Firewall - D - Security Rules - v3.8

• Added 3 rules to block outbound connections for three low-risk applications regularly used as LOLBINs (Living Off The Land Binaries) by attackers:
  • mshta.exe
  • notepad.exe
  • calc.exe

Each rule is configured as follows and has rules for both 32-bit and 64-bit binaries:

* Direction - The rule applies to outbound traffic.
* Action - Block
* Enabled - True
* Interface Types - All
* File Path - %systemroot%\{bitness}\{app}.exe
* Network Types - FW_PROFILE_TYPE_ALL: This value represents all these network sets and any future network sets.

This addition was driven by a new Defender Secure Score recommendation (MC1266905) specifically for mshta.exe, with calc and notepad being suggestions by MVP Jay Kerai (@jkerai1)

Changed/Updated 🔄️

Settings Catalog

🔄️Win - OIB - SC - Defender Antivirus - D - Additional Configuration

• Removed "Intel TDT Enabled" as the setting has been deprecated and is no longer configurable (PMPC Blog - Intel TDT Deprecated). Resolves #182

🔄️Win - OIB - SC - Device Security - D - Login and Lock Screen

• Changed "Do not display the password reveal button" from Enabled to Disabled following the updated NIST & CIS guidance rationale provided by @JackStuart. Resolves #146
• Removed settings related to ARSO (Automatic Restart Sign-On) as these have been moved to their own profile.

🔄️Win - OIB - SC - Microsoft Edge - D - Security

• Added "Enable Network Prediction" set to Enabled and Don't predict network actions on any network connection. Resolves [#163] and matches CIS Edge Benchmark setting.
• Added "Enable Microsoft Defender SmartScreen DNS requests" set to Enabled to ensure SmartScreen works as expected..
• Changed "Configure users ability to override feature flags" from Disabled to Enabled as there's a sub-setting that then exists to actually Prevent users from overriding feature flags. Thanks Microsoft.
• Removed "InsecurePrivateNetworkRequestsAllowed" as the setting is obsolete. Resolves #170
• Removed "Enable renderer code integrity" as the setting is deprecated.

🔄️Win - OIB - SC - Microsoft Edge - U - User Experience

• Added "Default notification setting (User)" to Enabled and Don't allow any site to show desktop notifications. Resolves #198
• Added "Allow notifications on specific sites" set to Enabled with *.microsoft.com and *.cloud.microsoft configured.

• Added "Block access to a list of URLs" set to Enabled with various apps.microsoft.com URLs as an attempt to prevent users potentially bypassing other Store block policies and downloading them from the website directly.

• Added "Control whether an informational webpage for Edge for Business is shown in the new tab after major browser updates" set to Disabled because this isn't really necessary for enterprise users and just creates more noise.
• Removed "Enable Gamer Mode" as the setting is obsolete. Resolves #170

🔄️Win - OIB - SC - Microsoft OneDrive - U - Configuration

• Added "Start OneDrive automatically when signing in to Windows" set to Enabled, overriding the user's ability to turn it off, accidentally or otherwise. Resolves #168

🔄️Win - OIB - SC - Microsoft Store - D - Configuration

• Changed "Allow All Trusted Apps" from 'Explicit Deny' to 'Explicit Allow Unlock' which was blocking both the EPM agent and OneDrive from installing L1 right-click menu items. Resolves #186 and #50

🔄️Win - OIB - SC - Windows User Experience - U - Copilot

• Added "Remove Microsoft Copilot App" set to Removal Enabled to trigger removal of the Consumer Copilot app.

🔄️Win - OIB - SC - Windows User Experience - D - Feature Configuration

• Added "Disable Share App Promotions" set to Promotional Apps on ShareSheet are Disabled. to stop promotional options being visible in the right-click Share menu.
• Added "Do Not Use Web Results" set to Not allowed. Queries won't be performed on the web and web results won't be displayed when a user performs a query in Search. to clean up the Start Menu search results.