OS hardening & security baselines
Legacy protocol lockdown, credential protection, PowerShell controls and deployable security baselines — itemised on a written plan, deployed in your own Intune tenant, and reversible item by item.
Why this matters
A freshly enrolled Windows device still speaks protocols designed for networks that no longer exist. LLMNR and NetBIOS broadcast name lookups that anything on the same segment can answer — poisoned responses that capture credential hashes remain a staple finding in penetration test reports. NTLMv1, RC4 and TLS 1.0 stay accepted across much of a typical estate until someone deliberately turns them off, and in most tenants nobody has, because the work is genuinely fiddly: dozens of individual settings, each delivered a different way, each with its own failure mode, and no natural owner.
The common end state is a tenant with a compliance policy, a PIN requirement and little else, described internally as "managed" — while credentials sit in LSASS unprotected on devices Credential Guard never reached, macro blocking rests on Office defaults that no policy enforces, and PowerShell executes with no record of what it ran.
What a good build does
Decolla treats hardening as discrete, itemised changes rather than one opaque bundle accepted on faith. This section of the catalogue spans legacy protocol and cipher lockdown, credential protection, PowerShell logging and language-mode controls, logon and macro hardening, and deployable Microsoft Windows and Edge baselines alongside community options from CIS, NCSC and OpenIntuneBaseline.
Every item lands on a written plan before anything runs, stating how it is delivered and its reversibility class, with anything irreversible flagged for explicit approval. Riskier lockdowns are staged rather than switched on wholesale: incoming NTLM restriction ships audit-first, so you read your own event logs before moving to deny. Credential Guard is hardware-gated, targeting only devices that can actually run it. Where an organisation genuinely needs an exception — the line-of-business installer that demands UAC off is the classic — it survives only as a flagged, documented exception recorded beside the canonical hardening item, never deployed alongside it. Config Refresh re-applies policy on a schedule so local tampering doesn't quietly unwind the work, and every change Decolla makes carries per-item rollback.
Where it bites people
Protocol lockdown breaks the thing nobody documented. Refuse NTLM or disable SMBv1 estate-wide and a decade-old multifunction printer's scan-to-folder, or a NAS on ancient firmware, stops authenticating — often days later, and the ticket says "scanning is broken", not "NTLM was refused". This is precisely why the plan is itemised and staging exists: audit before deny, and per-item rollback lets you revert the single implicated change while the rest of the hardening stays in place.
Baseline stacking produces a tenant nobody can reason about. Dropping a Microsoft baseline onto hand-built policies, or layering two community baselines at once, generates settings conflicts that Intune reports but does not explain. Decolla's plan shows exactly which baseline items are in scope before you approve them — and the Defender baseline is deliberately excluded from this section, because it lives in Endpoint protection, so the two never overlap.
What's in this section (27 items)
| Item | Tier | Delivery | Reversibility |
|---|---|---|---|
| Disable SMBv1 (client + server) | Standard | settingsCatalog | auto |
| LAN Manager auth level 5 (refuse LM & NTLM) | Standard | settingsCatalog | auto |
| Do not store LM hash (NoLMHash) | Standard | settingsCatalog | auto |
| Disable LLMNR (multicast name resolution) | Standard | settingsCatalog | auto |
| LSA Protection (RunAsPPL) | Standard | settingsCatalog | auto |
| Credential Guard / VBS (hardware-gated) | Recommended | endpointSecurity | reverse |
| Disable TLS 1.0/1.1, assert 1.2/1.3 | Recommended | platformScript | auto |
| Restrict outgoing NTLM + 128-bit session sec | Recommended | settingsCatalog | auto |
| Restrict incoming NTLM (audit -> deny) | Optional | settingsCatalog | auto |
| LDAP client signing + channel binding | Recommended | settingsCatalog | auto |
| Disable NetBIOS over TCP/IP (per NIC) | Recommended | remediation | auto |
| Disable weak SChannel ciphers (RC4/3DES/DES) | Optional | platformScript | auto |
| Remove Windows PowerShell v2 (skip on 25H2) | Recommended | remediation | auto |
| PowerShell Constrained Language Mode | Optional | remediation | auto |
| PowerShell script-block + module logging | Recommended | settingsCatalog | auto |
| UAC hardening (block EnableLUA=0, secure desktop) | Standard | settingsCatalog | auto |
| Block Office macros from the internet (VBA MOTW) | Standard | settingsCatalog | auto |
| Network hardening | Optional | settingsCatalog | auto |
| RDC client: do not allow saved passwords | Recommended | settingsCatalog | reverse |
| Do not display last signed-in user at logon | Recommended | settingsCatalog | reverse |
| Explorer hardening: separate process + generic view | Optional | remediation | reverse |
| Microsoft security baselines (Windows + Edge) | Recommended | native | reverse |
| Community hardening baselines (CIS / NCSC / OpenIntuneBaseline) | Recommended | native | reverse |
| Script file association hardening (.js/.jse/.vbs/.wsf to Notepad) | Advanced | script | reverse |
| Advanced audit policy & event log sizing | Standard | native | auto |
| Config Refresh (scheduled policy re-apply) | Recommended | native | auto |
| Device Guard / VBS | Optional | settingsCatalog | reverse |
Reversibility: auto reverses when unassigned · reverse reversible with a documented step · irreversible flagged before you approve the plan.
See it on a real device.
Decolla is in private build — early-access members see a build defined, deployed and rolled back first.
Get early access