Microsoft 365 Apps

Overview

The Devicie Microsoft 365 Apps Baseline provides an improved experience for multiple Microsoft Office 365 applications.

Intune Description:

Inspired by CIS 3.0, while allowing for a secure, but productive experience. Configuration impacting Windows Defender, legacy protocols, remote desktop services, auditing and device event logs, Windows Hello for Business and more.

Scope:

This baseline should be applied to Windows devices, in conjunction with the “DEVICIE-PROD-Security Baseline (User)” baseline.

Policy Impact Areas:

When deployed, this policy will impact:

Enforcing Microsoft 365 application updates, enabling reliability updates.
Automatic sign in to OneDrive, Teams and any other Microsoft 365 applications
OneDrive user experience and security improvements, including known folder redirect, storage and bandwidth usage improvements.

Deployment Notes

Pre-Deployment Considerations:
- OneDrive usage within the environment (change management, not technical)
Post-Deployment Validation:
- Verify OneDrive folder redirection is occurring.
- Verify automatic sign in (for Microsoft 365 applications) occurs on new device deployment.

Known Issues and Resolutions

Issue 1: Restricted access to other tenants. Users will not be able to sign in to tenants other than their own.
- Resolution: Advise Devicie to remove this control. (Restrict sign in to Teams to accounts in specific tenants (User))

Configuration Settings:

Name	Value
Microsoft Office 2016 (Machine)
Updates
Don’t install extension for Microsoft Search in Bing that makes Bing the default search engine	Enabled
Hide option to enable or disable updates	Enabled
OneDrive
Block file downloads when users are low on disk space	Enabled
Minimum available disk space: (Device)	5120
Enable sync health reporting for OneDrive	Enabled
Exclude specific kinds of files from being uploaded	Enabled
Keywords: (Device)	.lnk;.pst
Hide the "Deleted files are removed everywhere" reminder	Enabled
Prevent users from redirecting their Windows known folders to their PC	Enabled
Prevent users from syncing libraries and folders shared from other organizations	Enabled
Prompt users when they delete multiple OneDrive files on their local computer	Enabled
Number of files: (Device)	250
Require users to confirm large delete operations	Disabled
Set the sync app update ring	Enabled
Update ring: (Device)	Production
Silently move Windows known folders to OneDrive	Enabled
Desktop (Device)	True
Documents (Device)	True
Pictures (Device)	True
Show notification to users after folders have been redirected: (Device)	No
Tenant ID: (Device)
Silently sign in users to the OneDrive sync app with their Windows credentials	Enabled
Use OneDrive Files On-Demand	Enabled
Warn users who are low on disk space	Enabled
Minimum available disk space: (Device)	5120
Disable the tutorial that appears at the end of OneDrive Setup (User)	Enabled
Prevent users from changing the location of their OneDrive folder (User)	Enabled
Change location setting: (User)
Name
Value	1
Prevent users from syncing personal OneDrive accounts (User)	Enabled
Microsoft Office 2016
First Run
Disable First Run Movie (User)	Enabled
Disable Office First Run on application boot (User)	Enabled
Miscellaneous
Block signing into Office (User)	Enabled
Block signing into Office (User)	Org ID only
Telemetry Dashboard
Turn on telemetry data collection (User)	Enabled
Trust Center
Automatically receive small updates to improve reliability (User)	Enabled
Microsoft Outlook 2016
Exchange
Automatically configure profile based on Active Directory Primary SMTP address (User)	Enabled
PST Settings
Default location for PST files (User)	Enabled
Default location for PST files (User)	%USERPROFILE%\Outlook Files
Microsoft Teams
Restrict sign in to Teams to accounts in specific tenants (User)	Enabled
Tenant IDs: (User)

Devicie Template Name	Microsoft 365 Apps
Default Intune Deployed Name	DEVICIE-PROD-Microsoft 365 Apps
Version	1.0
Template Last Updated	Nov 18, 2024
Document Status:	DRAFT
Document Last Updated:	Apr 10, 2025