Security baselines in Intune for Windows
Table of Contents
As a starting point for a security baseline, we can use Microsoft's best practices. I always use these baselines when starting a new project or implementation, unless the customer or I have a good reason to go in a different direction. This is all set up at the start of the workshop or while the Pilot is running.
What security baselines is available for Windows?
Because we can use various Device Configurations (DC), I've compiled a list of each possible subject in order of importance when it comes to configuring our Windows devices.
- Security Baseline
- Individual settings (Templates or settings catalog)
- ADMX templates
Remember that not all device configurations are supported on every build. Please keep that in mind. Forever assume that I'm speaking of the latest Windows build unless I say otherwise
You can change the baseline version that a specific profile is using. When you update a version, you do not need to create a new baseline profile to take advantage of the new features. Instead, you can select a baseline profile and change the instance version for that profile using a built-in option.
Let's dig into Security Baselines
A security baseline that includes Microsoft's best practice configurations is a good way to get started quickly. Security baselines are pre-configured groups of Windows settings and default values that are recommended by Microsoft's security teams.
Benefits:
- The best practices and recommendations for settings that affect security are part of a security baseline. Intune works with the same Windows security team that makes security baselines for group policy. These suggestions come from advice and a lot of experience.
- If you are new to Intune and don't know where to begin, security baselines can help. You can quickly make and use a secure profile, knowing that you are helping to protect the resources and data of your organization.
- If you use group policy now, these baselines make it much easier to switch to Intune for management. These baselines are built right into Intune and come with a modern way to manage them.
Microsoft recommends that everything related to Endpoint security should be set up in the Endpoint Security blade.
When we take a look at the Intune portal at Endpoint.microsoft.com
Security Baseline for Windows 10 and later (November 2021)
Looking at "Security Baseline for Windows 10 and later" when we create a profile we will see that we have overwhelming many device configurations.
See the prerequisites for Intune
Microsoft Intune license – This subscription provides access to Intune and the Microsoft Endpoint Manager admin center.
Devices managed with Intune:
The following platforms are supported for Intune
- Android
- iOS/iPadOS
- Windows 10/11 (Hybrid Azure Active Directory Joined or Azure Active Directory Joined)
- macOS
Small video of all DC
If you choose to toggle and see all subjects, I have marked subjects that I would remove from the baseline and handle myself in a separate policy.
Toggle to see all subjects
- Above Lock
- App Runtime
- Application management
- Audit
- Auto Play
- BitLocker
- Browser
- Connectivity
- Credentials Delegation
- Credentials UI
- Data Protection
- Device Guard
- Device Installation
- Device Lock
- DMA Guard
- Event Log Service
- Experience
- File Explorer
- Firewall
- Internet Explorer
- Local Policies Security Options
- Microsoft Defender
- MS Security Guide
- MSS Legacy
- Power
- Remote Assistance
- Remote Desktop Services
- Remote Management
- Remote Procedure Call
- Search
- Smart Screen
- System
- Wi-Fi
- Windows Connection Manager
- Windows Ink Workspace
- Windows PowerShell
Next up is going to be Microsoft Defender for Endpoint Baseline
Microsoft Defender for Endpoint Baseline (MDE) (December 2020, Version 6) also called MDE
To use this baseline your environment must meet the prerequisites for using Microsoft Defender for Endpoint
When we create a profile with "Microsoft Defender for Endpoint Baseline," we won't see as many device configurations as we do with "Security Baseline for Windows 10 and later," but the big difference between the two is that our environment has met the requirements for MDE.
See the prerequisites for MDE
Prerequisites
Subscriptions: To use Microsoft Defender for Endpoint with Intune, you must have the following subscriptions:
Microsoft Defender for Endpoint: This subscription provides you access to the Microsoft Defender Security Center (ATP portal).
Microsoft Intune – This subscription provides access to Intune and the Microsoft Endpoint Manager admin center.
Devices managed with Intune:
The following platforms are supported for Intune with Microsoft Defender for Endpoint:
- Android
- iOS/iPadOS
- Windows 10/11 (Hybrid Azure Active Directory Joined or Azure Active Directory Joined)
- macOS
If you choose to Toggle and see all subjects I have marked, I would take some of those out of the baseline and handle them myself in a different policy.
Toggle to see all subjects
- Attack Surface Reduction Rules
- BitLocker
- Device Guard
- Device Installation
- DMA Guard
- Firewall
- Microsoft Defender
- Smart Screen
Next up is Windows 365 Security Baseline (Preview)
Windows 365 Security Baseline (version 2101)
Beaware that W365 Security baseline is in preview
If you use Windows 365, you should definitely try out this baseline. It's much harder to change security settings once an environment is in production, so I suggest you test this with a small group until Microsoft releases it from preview.
Reminds me of "Security Baseline for Windows 10 and later (November 2021)" becuase i see a lot of similar settings. Lets take a look.
I haven't marked anything because i need more experience with Windows 365 first.
Toggle to see all subjects
- Above Lock
- App Runtime
- Application management
- Attack Surface Reduction Rules
- Audit
- Auto Play
- Browser
- Connectivity
- Credentials Delegation
- Credentials UI
- Device Guard
- Device Installation
- DMA Guard
- Event Log Service
- Experience
- File Explorer
- Firewall
- Internet Explorer
- Local Policies Security Options
- Microsoft Defender
- Microsoft Defender Antivirus Exclusions
- Microsoft Edge
- MS Security Guide
- MSS Legacy
- Remote Assistance
- Remote Desktop Services
- Remote Management
- Remote Procedure Call
- Search
- Smart Screen
- System
- Windows Connection Manager
- Windows Ink Workspace
- Windows PowerShell
- Windows Security
And the last one is Microsoft Edge Baseline
Microsoft Edge Baseline (September 2020 (Edge version 85 and later))
The new Edge browser version 85+, which is based on chromium, is used in almost every production environment. If you're in this group and haven't set up any devices yet, I strongly suggest you start with this baseline.
Lets see what we have inside
We only got one subject
Toggle to see all subjects
Microsoft Edge (yup only this one)
Mixing baselines
You can mix and match all of them except for Windows 365. If you use Windows 365, I suggest that you stick to the baselines for Windows 365.
For Windows 10+, we just need to leave out Windows 365 for a good mix. However, you need to be aware of possible conflicts, so test, test, test, or wait for my next blog, where I will give you the solution. Mixing the baselines for Windows 10+ and MDE.
More information
