Intune Security baselines

Microsoft created Security baselines in Intune, which are updated frequently. These baselines provide minimum security for your devices and can be customized to meet your organization’s needs. In this blog, we will go into creating a baseline policy from scratch the caveats in those new policies, and updating those policies.

Why Security baselines

Microsoft Intune provides a set of security baselines that can be used to configure and enforce security policies across your organization’s devices. These baselines provide minimum security for your devices and can be customized to meet your organization’s needs.

Here are some reasons why using Intune security baselines is a great start for creating a secure workplace:

1. Ease of use: Intune security baselines are easy to deploy and manage, and can be customized to meet your organization’s specific needs.
2. Compliance: Intune security baselines are designed to help you meet regulatory compliance requirements, such as HIPAA, GDPR, etc.
3. Consistency: Intune security baselines help ensure that all devices in your organization are configured with the same security policies, providing a consistent level of security across your organization.
4. Automation: Intune security baselines can be automated to ensure that devices are always up-to-date with the latest security policies.
5. Flexibility: Intune security baselines can be customized to meet your organization’s specific needs, allowing you to tailor your security policies to your organization’s unique requirements.

What Security baselines are there

The security baselines available in Intune are:

• Windows
• Defender
• Edge
• Windows 365
• Microsoft 365 Apps

Security Baseline for Windows contains a set of recommended security settings for Windows 10 devices, such as BitLocker, password policy, basic authentication, and more. Security Baseline for Microsoft Defender for Endpoint contains a set of recommended security settings for the Microsoft Defender for Endpoint service, such as attack surface reduction rules, BitLocker, device guard, and device installation. Security Baseline for Microsoft Edge contains a set of recommended security settings for the Microsoft Edge browser, such as supported authentication schemes, default Adobe Flash settings, site isolation, and more. Security Baseline for Windows 365 Cloud PC contains a set of recommended security settings for the Windows 365 Cloud PC service, such as voice activation, app runtime, application management, attack surface reduction rules, and more.

How to create a security baseline

So now we know a security baseline is a group of preconfigured settings representing a product’s recommended security posture. We can use Intune to deploy security baselines to your Windows devices and customize them to suit your organization’s needs. Here are some steps to create a security baseline in Intune:

Select Endpoint security > Security baselines to view the list of available baselines. In this case, we will create a Windows 10 or later baseline click on Security Baseline for Windows 10 and later and click on + Create Profile

Enter a name and description for the profile, and then select Next. Review the configuration settings and modify them as needed. You can also search for a specific setting or filter by category.

Select Next, and then select the groups of users or devices you want to assign the profile to. Select Create to create and deploy the profile.

Now comes a part we need to think over the policy we created, is this going to work for our device this is a good start of a baseline but will it work for everyone in the organization? As an example, we would like to remove the BitLocker policy from the baseline and create a separate one, for the reason that in the baseline a BitLocker is a setting for the hard disk itself and the USB disk, But we like to be able to create an exclusion for maybe several people in the organization where there is a need to plug in a USB drive without encryption.

Before implementing it please use deployment rings to release it in bits to the production environment

Creating a manual Security baseline

There is a choice that we can make and that is to create a manual security baseline based on the Security Compliance toolkit and baseline from Microsoft. We can do this because we want to have flexibility or because In the last couple of years, Microsoft didn’t release that many updates for example the Windows security baseline last is from November 2021, they are busy with it to release it, but it is taking some time because of the change to settings catalog items. Therefore it might be good to create a baseline manually.

To start with the baseline Microsoft publishes security baselines from Edge, the Microsoft 365 app, and Windows on Download Security Compliance Toolkit and Baselines from Official Microsoft Download Center.

We are going to use Edge in this example, go to the download folder and see what’s in the baseline:

In the Documentation folder, there is an Excel file we can use to see which security settings Microsoft would like to set a basic security baseline for Edge.

We can do two things create them manually in total or get a little help from Intune, In the GPOs folder there are the files we are going to use for now, and there is a GPReport.xml with all the settings which are also in the Excel file.

Use group policy analytics

Now we need to go to Intune Devices | Group Policy analytics, here we will click on Import

Select a file from the download folder and click Next, if scope tags are used add them and click Next and Create. After the import of the GPreport the screen will look like below. Now we need to click on the percentage.

On the MDMsupport page, we can see which policies can be created in a Setting catalog profile. And what the gaps are we need to solve or to address. In the Edge security baseline we can see we only have one policy which the analyzer didn’t find, here comes one of the concerns if we search it manually via the settings catalog it is just a policy we can create. So the analyzer is only a helpful tool to create a baseline policy.

Now we need to click on Migrate, click on all the settings we need to add, and click Next, we will see an overview of all the settings we will migrate and click Next. Give the new policy a name and description as you created in your naming convention, click Next, add scope tags and an assignment, and click Create. We just created a Security baseline manually but don’t forget to add missing settings or create a gap analysis in which settings cannot be found, maybe this can be created by a custom OMAURI policy.

Updating Security Baselines

Updating security baselines in Intune is important for several reasons:

• Security Enhancements: New baseline versions can include newer settings that enhance security measures, which aren’t available in older versions.
• Compliance with Recommendations: Each new version might include updates to the default configurations for some settings that align with the latest security recommendations.
• Feature Updates: Outdated versions don’t support edits to their setting configurations. Updating allows you to introduce new configurations for settings.
• Avoiding Conflicts: It helps avoid conflicts with other security policies and ensures that your security posture is consistent and up-to-date.
• Migration Support: Intune introduced a new process to help migrate an existing security baseline profile to the newer baseline version, which is a one-time process replacing the normal update behavior.

It’s recommended to update your older baseline versions to the latest version as soon as it’s practical to do so, to ensure that your devices and users are protected with the most current security configurations

Updating the manual Security baselines

Updating the manual-created security baselines can be done by downloading the new version of the toolkit. In the toolkit, there is an Excel file under the documentation folder with the name delta’s. This file can be used to see the differences between the old en the new baseline. Now we can copy the settings catalog profile and then just remove the old settings and add the newest settings. Or we can create a full new baseline like before.

Updating the Intune security baselines

In Intune, there will be a message telling us we are using an older/deprecated version of the security baseline of a specific product.

Go to Endpoint security | Security baselines and go to the baseline of a product in this case we will use the Edge Security Baseline.

Now click on the check box of the specific baseline and click Change Version

Updating older versions (before May 2023)

Because this specific baseline is written in the older version (before May 2023) we have to do some steps, this will be in a pop-up screen as well.

Click on Export Profile Settings, a csv-file will be downloaded which will tell us which settings are set in our old baseline and if there were any differences to the default baseline

defaultJson: Identifies the default configuration for this setting as seen in the new baseline format. ustomizedJson: The configuration of each setting from the older profile version. This information helps us understand which settings in the new profile require modification to match the older profiles’ configuration. “NotApplicable” as they weren’t modified from the default configuration in the older baseline version we have been using.

After Checking every setting we can click Create. Give the new policy a name and description and click Next. Do another check on all the settings and click Next. For the assignment it is wise to use the deployment rings like we used before.

Updating newer versions (after May 2023)

To update the security baselines with a newer version, there is a new way of doing this task, the first steps are the same go to Endpoint security | Security baselines and go to the baseline of a product in this case we will use the Microsoft 365 apps Security Baseline.

Now click on the check box of the specific baseline and click Change Version

Now click on Create here we will see the normal name and description fields coming but with some extra info. From which policy it was duplicated and the most helpful is which version it was and which it will become

Click Next and assign the new policy

After the baselines based on the settings catalog (after May 2023) there will be available to update to the newer version with the following options, this will be very helpful for our experience towards the most secure and productive endpoint.

Conclusion

Microsoft Intune’s security baselines provide a powerful and flexible tool for managing your organization’s security configuration. They offer ease of use, compliance, consistency, automation, and flexibility, making them an excellent starting point for creating a secure workplace.

Creating a security baseline in Intune involves selecting the desired baseline, customizing the configuration settings as needed, and assigning the profile to the appropriate groups of users or devices. It’s important to carefully consider the impact of these settings on your organization and to use deployment rings to gradually roll out changes.

It is very important to update these security baselines, so let’s hope Microsoft will update the security baselines in Intune more frequently. The Windows security baselines 23h2 are now set for Q1 2024.