External AI hardening baseline for Windows 11
Before importing the policies in this repository https://github.com/vladjoh/ExternalAIHardeningBaseline/tree/main/ExternalAiHardeningW11, ensure your Microsoft 365 environment meets the following requirements
-
✅ Microsoft Defender for Endpoint
- Microsoft Defender for Endpoint must be activated and configured in your tenant.
-
✅ Microsoft 365 Licensing
- Users must be assigned one of the following licenses:
- Microsoft 365 Business Premium with Defender Suite
- Microsoft 365 E3 with Defender Suite
- Microsoft 365 E5
- Microsoft 365 E7
- Users must be assigned one of the following licenses:
-
✅ Microsoft Intune
- Microsoft Intune must be configured as the Mobile Device Management (MDM) authority.
intune.microsoft.com->Devices-> Enrollment -> Automatic Enrollment
-
✅ Microsoft Defender for Endpoint Integration
-
In the Microsoft Defender portal, navigate to:
Settings -> Endpoint
-
Enable the Microsoft Intune connection.
-
-
✅ Microsoft Defender for Cloud Apps Integration
- In the Microsoft Defender portal, navigate to:
Settings -> Endpoints
- Microsoft Defender for Cloud Apps (MDCA)
-
✅ Endpoint Features
-
In the Microsoft Defender portal, navigate to:
Settings -> Endpoints
-
Ensure the following features are enabled:
- Custom Network Indicators
- Web Content Filtering
-
The policies contained in this repository are designed to be imported using MickeM's Intune Management Tool.
App Control Managed Installer policy can't be improted as .json and needs to be setup manually, set it up before deploying App Control policy to your devices. Remember to double check that IME - Intune Managed Extension is installed on device, before enforcing policy for AppControl otherwise it wouldn't work. If it's not installing IME extension with Installer policy, than try to deploy an win32 app first
Once Defender for Endpoint and Cloud App integration is setup and you have device group in Defender go to Cloud Apps-> Cloud Apps Catalog --> Select All Gen AI and other AI apps , exclude non MS apps by tagging NON MS apps as Microsoft and than create a filter like on last picture
Than choose Select ALl and Tag them as Unsanctioned and select Device Group
In Settings -> Endpoint -> Web Content Filtering create a pplicy to Block "Illegal software", Illegal Software category contains well known proxies

Go to https://admin.teams.microsoft.com/policies/manage-apps
Actions -> Org wide setings

Choose this setting and save
Set up app protection policies for BYID devices in Intune and require it with Conditional Access on sign ins. Restrict copy/paste, backup to external cloud, screenshots etc.