SkipToTheEndpoint
diff --git a/‎CHANGELOG.md‎
Lines changed: 7 additions & 1 deletion b/‎CHANGELOG.md‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎README.md‎
Lines changed: 1 addition & 4 deletions b/‎README.md‎
Lines changed: 1 addition & 4 deletions
diff --git a/‎WINDOWS/CHANGELOG.md‎
Lines changed: 47 additions & 0 deletions b/‎WINDOWS/CHANGELOG.md‎
Lines changed: 47 additions & 0 deletions
@@ -1,11 +1,17 @@
 # OIB Project Changelog
 
+# 2025-02-20
+## Releases
+* [OIB Windows v3.5]]{https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/releases/tag/windows-v3.5)
+
+---
+
 # 2025-01-24
 ## Added
 * Added new comparison and settings rationale against the CIS Intune Benchmark - [OIB v3.4 vs CIS Intune v3.0.1](/WINDOWS/OIBvsCIS-Rationale.csv)
 
 ## Releases
-* [OIB Windows v3.4]{https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/releases/tag/windows-v3.3)
+* [OIB Windows v3.4]{https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/releases/tag/windows-v3.4)
 
 ---
 
 
@@ -14,9 +14,6 @@
   </a>
 </p>
 <p align="center">
-  <a href="https://discord.gg/msems">
-    <img alt="Discord" src="https://img.shields.io/discord/1008077287813550090?label=Join%20the%20MS%20EMS%20Community&logo=discord&style=flat-square" target="_blank" />
-  </a>
   <a href="https://discord.gg/winadmins">
     <img alt="Discord" src="https://img.shields.io/discord/618712310185197588?label=Join%20WinAdmins&logo=discord&style=flat-square" target="_blank" />
   </a>
@@ -93,7 +90,7 @@ Each OS will have its own folder, with OS-specific files (readme, changelog, bas
 The current OIB versions are:
 | OS | Current Release | Change Log | Wiki Page |
 |:---:|:---:|:---:|:---:|
-| [Windows](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/tree/main/WINDOWS) | [v3.4](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/releases/tag/windows-v3.4) | [Link](/WINDOWS/CHANGELOG.md) | [Link](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/wiki/win-readme) |
+| [Windows](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/tree/main/WINDOWS) | [v3.5](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/releases/tag/windows-v3.5) | [Link](/WINDOWS/CHANGELOG.md) | [Link](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/wiki/win-readme) |
 | [Windows 365](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/tree/main/WINDOWS365) | [v1.0](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/releases/tag/win365-v1.0) | [Link](/WINDOWS365/CHANGELOG.md) | [Link](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/wiki/win365-readme) |
 | [MacOS](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/tree/main/MACOS) | [v1.0](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/releases/tag/macos-v1.0) | [Link](/MACOS/CHANGELOG.md) | [Link](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/wiki/macos-readme) |
 
 
@@ -1,5 +1,52 @@
 # OIB Windows Change Log
 
+# Windows v3.5 - 2025-02-20 - 24H2 Baseline Edition (Mostly)
+## Added
+### Settings Catalog
+**Win - OIB - SC - Device Security - D - Windows Package Manager  - v3.5**
+* Added configuration that will be being added to the CIS Benchmark, as well as some additional, non-impacting restrictions to the [Desktop App Installer](https://learn.microsoft.com/en-gb/windows/client-management/mdm/policy-csp-desktopappinstaller) (winget):
+   * Enable App Installer Experimental Features - `Disabled`
+   * Enable App Installer Hash Override - `Disabled`
+   * Enable App Installer Local Manifest Files - `Disabled`
+   * Enable App Installer ms-appinstaller protocol - `Disabled`
+   * Enable App Installer Settings - `Disabled`
+> [!NOTE]
+> If you disable the App Installer completely by setting either "Enable App Installer" or "Enable App Installer Microsoft Store Source" to "Disabled", it **will** break delivery of Store apps from Intune!
+> So don't do that :)
+
+
+## Changed/Updated
+### Settings Catalog
+**Win - OIB - SC - Defender Antivirus - D - Additional Configuration**
+* Added the following settings from the 24H2 Baseline:
+    * [Enable Convert Warn To Block](https://learn.microsoft.com/en-gb/windows/client-management/mdm/defender-csp#configurationenableconvertwarntoblock) - `Warn verdicts are converted to block`
+    * [Passive Remediation](https://learn.microsoft.com/en-gb/windows/client-management/mdm/defender-csp#configurationpassiveremediation) - `1: Passive Remediation Sense AutoRemediation`
+    * [Quick Scan Include Exclusions](https://learn.microsoft.com/en-gb/windows/client-management/mdm/defender-csp#configurationquickscanincludeexclusions) - `1: All files and directories that are excluded from real-time protection using contextual exclusions are scanned during a quick scan.`
+
+**Win - OIB - SC - Device Security - D - Security Hardening**
+* Added the following settings from the 24H2 Baseline:
+    * [PK Init Hash Algorithm Configuration](https://learn.microsoft.com/en-gb/windows/client-management/mdm/policy-csp-kerberos#pkinithashalgorithmconfiguration) - `Enabled`
+        * PK Init Hash Algorithm SHA1 - `Not Supported`
+    * [Enable Sudo](https://learn.microsoft.com/en-us/windows/sudo/) - `Sudo is disabled`
+
+**Win - OIB - SC - Device Security - D - User Rights**
+* Removed `S-1-2-0` (Local) from "Deny Remote Desktop Services Log On" as this breaks Windows 365 access. Resolves [#69](https://github.com/SkipToTheEndpoint/OpenIntuneBaseline/issues/69)
+
+**Win - OIB - SC - Device Security - U - Device Guard, Credential Guard and HVCI**
+* Added the following setting from the 24H2 Baseline:
+    * [Machine Identity Isolation](https://learn.microsoft.com/en-gb/windows/client-management/mdm/policy-csp-DeviceGuard?WT.mc_id=Portal-fx#machineidentityisolation) - `0: (Disabled) Machine password is only LSASS-bound and stored in $MACHINE.ACC registry key.`
+
+**Win - OIB - SC - Microsoft Office - U - Config and Experience**
+* Added a recently added setting to make files clicked in Teams open in the desktop apps rather than in SPO:
+    * File links open preference default selection as Desktop App (User) - `Enabled`
+* Added a setting to remove some options from the save locations available. The tooltip is confusing but `137` restricts OneDrive Personal, SharePoint OnPrem and (most importantly) Third-party Services (e.g Box, Dropbox, Egnyte, ShareFile) from the "Add a place" in the Save As menu.
+    * Hide Microsoft cloud-based file locations in the Backstage view (User) - `137`
+
+**Win - OIB - SC - Windows Hello for Business - D - Cloud Kerberos Trust - v3.5**
+* Added "Cloud Kerberos Ticket Retrieval Enabled" set to `Enabled`.
+
+---
+
 # Windows v3.4 - 2025-01-24
 > [!IMPORTANT]
 > A UI change in November '24 has made _**all**_ policy types visible in the Configuration blade. This has caused a lot of confusion when trying to identify policies configured via Endpoint Security.