365 Multi-Tenant Manager Release on November 25th, 2025

Enhancements

The following new predefined settings have been introduced in the predefined settings library:

• HS-S0115 – Ensure external Teams communication is restricted to organizational users only
  • Ensures that users can communicate only with Teams accounts who are managed by an organization, preventing them from initiating or receiving messages from accounts that are not part of any organization. Applies to the Global policy only.
• HS-S0116 – Ensure third party storage in Teams is enabled
  • Ensures the default Teams policy for the organization allows the use of third-party storage providers. By enabling these options it allows users to connect and access Dropbox, Box, Google Drive, Egnyte and ShareFile within Teams.
• HS-S0117 – Toggle Microsoft Bookings state
  • Ensures that the Microsoft Bookings state is monitored and managed as needed. When enabled, users can create and manage booking calendars. When disabled, no booking pages can be created
• HS-S0118 – Ensures that the Busy on Busy feature for Teams calling policy is configured
  • Ensures that the Busy on Busy feature in Microsoft Teams is configured appropriately. When enabled, users who are already on a Teams call will not receive additional incoming calls. This applies to the Global policy only
• HS-S0119 – Ensure Microsoft Teams meeting transcription is configured
  • Controls whether meeting transcription is allowed in Microsoft Teams meetings. When enabled, participants can generate a transcript of the meeting, which can be useful for accessibility and taking notes.
• HS-S0120 – Ensure Quarantine Policy has notifications enabled
  • Controls whether users receive email notifications when messages are placed in their quarantine by Microsoft Exchange Online Protection (EOP)

The following new predefined policies have been introduced in the predefined policies library:

• HS-P0061 – Ensure remote assitance offer is disabled
  • Disables unsolicited Remote Assistance initiated by corporate technical support staff on managed Windows devices.
• HS-P0062 – Restrict anonymous access to named pipes and shares
  • Disables anonymous access to shared folders and named pipes on managed Windows devices.
• HS-P0063 – Ensure LAN manager hashes are not stored on next password change
  • Prevents the storage of LAN Manager (LM) hash values on Windows devices when users change their passwords.
• HS-P0064 – Ensure installation with elevated privileges is disabled
  • Disables the use of elevated privileges when installing any program on Windows devices.
• HS-P0065 – Disable ‘Autoplay’ for all drives
  • Disables the Autoplay feature on Windows devices, preventing media from automatically launching when inserted into CD-ROM and removable media drives.
• HS-P0066 – Ensure AutoRun commands are disabled
  • Disables the execution of autorun commands on Windows devices, preventing automatic launch of programs or media when new drives are connected.
• HS-P0067 – Ensure LAN Manager authentication level is set for NTLMv2 responses only
  • Disables the use of LAN Manager (LM) and New Technology LAN Manager (NTLM) authentication protocols that are non-v2 on Windows devices, enforcing only the use of NTLMv2.
• HS-P0068 – Disable use of blank passwords for console logon only
  • Restricts local accounts with blank passwords to log on only at the physical computer console, blocking remote access.
• HS-P0069 – Ensure Solicited Remote Assistance is disabled
  • Disables users from requesting Remote Assistance via email or file transfer on Windows devices.
• HS-P0070 – Ensure ‘Local Machine Zone Lockdown Security’ is enabled
  • Enforces Local Machine zone security settings on all local files accessed by supported applications on Windows devices.
• HS-P0071 – Ensure SMB signing is enabled
  • Communication between the Microsoft network client and server is only enabled if the server agrees to perform Server Message Block (SMB) packet signing.
• HS-P0072 – Ensure ‘Safe DLL search mode’ is enabled
  • Enforces Safe DLL search mode on Windows devices, which ensures applications search for DLLs in the system path first.
• HS-P0073 – Ensure sign-in sessions are not persistent for Intune enrollment
  • Requires users to verify their identity every time by re-authenticating before they can enroll their device with Microsoft Intune. Note that if the app (Microsoft Intune Enrollment) is not registered in the tenant, the policy will fail to apply.
• HS-P0074 – Ensure device code sign-in flow is blocked
  • Blocks the device code sign-in flow to enhance authentication security.
• HS-P0075 – Block access from untrusted locations
  • Blocks access for all users to all cloud applications from any location except trusted locations. Applies to all client app types. Note: Trusted locations must be defined in advance for the policy to apply correctly.