Security baselines in Intune for Windows

Jonas Bøgvad
Jonas Bøgvad

Table of Contents

We can use Microsoft's best practices as a starting point for a security baseline. When I start a new project or implementation, I always use these baselines, unless the customer or I have a good reason to go in a different direction. All of this is set up in the early of the workshop or when the Pilot is running.

Intune supports the following platforms to be enrolled.

  • Windows
  • iOS/iPadOS
  • Android
  • macOS

What security baselines is available for Windows?

Since we can use different kinds of Device Configurations (DC), I've put together a list of each possible subject in order of importance when we think about setting up our Windows devices.

  1. Security Baseline
  2. Individual settings (Templates or settings catalog)
  3. ADMX templates

Remember that not all device configurations are supported on every build. Please keep that in mind. Forever assume that I'm speaking of the latest Windows build unless I say otherwise

You can change the version of a baseline that a certain profile is using. When you update a version, you don't have to make a new baseline profile to use the new features. Instead, you can choose a baseline profile and use a built-in option to change the instance version for that profile to a new one.

Let's dig into Security Baselines

A security baseline, which includes Microsoft's recommended best practice configurations, is a good way to get started quickly. Security baselines are groups of Windows settings and default values that have already been set up and are recommended by the security teams at Microsoft.

Benefits:

  • The best practices and recommendations for settings that affect security are part of a security baseline. Intune works with the same Windows security team that makes security baselines for group policy. These suggestions come from advice and a lot of experience.
  • If you are new to Intune and don't know where to begin, security baselines can help. You can quickly make and use a secure profile, knowing that you are helping to protect the resources and data of your organization.
  • If you use group policy now, these baselines make it much easier to switch to Intune for management. These baselines are built right into Intune and come with a modern way to manage them.

Microsoft recommends that everything related to Endpoint security should be set up in the Endpoint Security blade.

When we take a look at the Intune portal at Endpoint.microsoft.com

Endpoint security -> Security baselines

Security Baseline for Windows 10 and later (November 2021)

Looking at "Security Baseline for Windows 10 and later" when we create a profile we will see that we have overwhelming many device configurations.

See the prerequisites for Intune

Microsoft Intune license – This subscription provides access to Intune and the Microsoft Endpoint Manager admin center.

Devices managed with Intune:
The following platforms are supported for Intune

  • Android
  • iOS/iPadOS
  • Windows 10/11 (Hybrid Azure Active Directory Joined or Azure Active Directory Joined)
  • macOS
0:00
/
Small video of all DC

If you choose to toggle and see all subjects, I have marked subjects that I would remove from the baseline and handle myself in a separate policy.

Toggle to see all subjects

  • Above Lock
  • App Runtime
  • Application management
  • Audit
  • Auto Play
  • BitLocker
  • Browser
  • Connectivity
  • Credentials Delegation
  • Credentials UI
  • Data Protection
  • Device Guard
  • Device Installation
  • Device Lock
  • DMA Guard
  • Event Log Service
  • Experience
  • File Explorer
  • Firewall
  • Internet Explorer
  • Local Policies Security Options
  • Microsoft Defender
  • MS Security Guide
  • MSS Legacy
  • Power
  • Remote Assistance
  • Remote Desktop Services
  • Remote Management
  • Remote Procedure Call
  • Search
  • Smart Screen
  • System
  • Wi-Fi
  • Windows Connection Manager
  • Windows Ink Workspace
  • Windows PowerShell

Next up is going to be Microsoft Defender for Endpoint Baseline

Microsoft Defender for Endpoint Baseline (MDE) (December 2020, Version 6) also called MDE

To use this baseline your environment must meet the prerequisites for using Microsoft Defender for Endpoint

When we create a profile with "Microsoft Defender for Endpoint Baseline," we won't see as many device configurations as we do with "Security Baseline for Windows 10 and later," but the big difference between the two is that our environment has met the requirements for MDE.

See the prerequisites for MDE

Prerequisites

Subscriptions: To use Microsoft Defender for Endpoint with Intune, you must have the following subscriptions:

Microsoft Defender for Endpoint: This subscription provides you access to the Microsoft Defender Security Center (ATP portal).

Microsoft Intune – This subscription provides access to Intune and the Microsoft Endpoint Manager admin center.

Devices managed with Intune:
The following platforms are supported for Intune with Microsoft Defender for Endpoint:

  • Android
  • iOS/iPadOS
  • Windows 10/11 (Hybrid Azure Active Directory Joined or Azure Active Directory Joined)
  • macOS
0:00
/

If you choose to Toggle and see all subjects I have marked, I would take some of those out of the baseline and handle them myself in a different policy.

Toggle to see all subjects

  • Attack Surface Reduction Rules
  • BitLocker
  • Device Guard
  • Device Installation
  • DMA Guard
  • Firewall
  • Microsoft Defender
  • Smart Screen

Next up is Windows 365 Security Baseline (Preview)

Windows 365 Security Baseline (version 2101)

Beaware that W365 Security baseline is in preview

If you use Windows 365, you should definitely try out this baseline. It's much harder to change security settings once an environment is in production, so I suggest you test this with a small group until Microsoft releases it from preview.

Reminds me of "Security Baseline for Windows 10 and later (November 2021)" becuase i see a lot of similar settings. Lets take a look.

0:00
/

I haven't marked anything because i need more experience with Windows 365 first.

Toggle to see all subjects

  • Above Lock
  • App Runtime
  • Application management
  • Attack Surface Reduction Rules
  • Audit
  • Auto Play
  • Browser
  • Connectivity
  • Credentials Delegation
  • Credentials UI
  • Device Guard
  • Device Installation
  • DMA Guard
  • Event Log Service
  • Experience
  • File Explorer
  • Firewall
  • Internet Explorer
  • Local Policies Security Options
  • Microsoft Defender
  • Microsoft Defender Antivirus Exclusions
  • Microsoft Edge
  • MS Security Guide
  • MSS Legacy
  • Remote Assistance
  • Remote Desktop Services
  • Remote Management
  • Remote Procedure Call
  • Search
  • Smart Screen
  • System
  • Windows Connection Manager
  • Windows Ink Workspace
  • Windows PowerShell
  • Windows Security

And the last one is Microsoft Edge Baseline

Microsoft Edge Baseline (September 2020 (Edge version 85 and later))

The new Edge browser version 85+, which is based on chromium, is used in almost every production environment. If you're in this group and haven't set up any devices yet, I strongly suggest you start with this baseline.

Lets see what we have inside

0:00
/

We only got one subject

Toggle to see all subjects

Microsoft Edge (yup only this one)

Mixing baselines

You can mix and match all of them except for Windows 365. If you use Windows 365, I suggest that you stick to the baselines for Windows 365.

For Windows 10+, we just need to leave out Windows 365 for a good mix. However, you need to be aware of possible conflicts, so test, test, test, or wait for my next blog, where I will give you the solution. Mixing the baselines for Windows 10+ and MDE.

More information

Learn about Windows security baselines you can deploy with Microsoft Intune
Deploy security baselines to devices to help protect users and data on devices you manage with Microsoft Intune. The default baseline configurations are the recommended windows security settings from the relevant security teams. You can also customize baselines to meet your business requirements.