Getting started with Security Baselines in Microsoft Intune

Recently Microsoft introduced “Security Baselines” to Intune. This has been in preview for a while and is now generally available.

Security baselines are pre-configured groups of Windows settings that help you apply them in an easy way. This set includes best practices and recommendations that impact security and are recommended for enterprises.

Trough this solution you can also migrate your on-premise Group policy settings to Microsoft Intune in a more convenient way.

Requirements

  • Windows 10 1809 and later

The current baseline version is “May 2019”. This means that the settings are based on the spring release of Windows 10 (1903). It is possible that some settings are not supported on older versions. The baseline policy will report about that.

Create a (Dynamic) Device Group

We need to create a group with devices that supports the Intune Security Baseline configuration. As seen in the requirements the minimum version is Windows 10 1809. So we create a Dynamic device group with supported devices by following the steps:

1. Go to your [Microsoft 365 Device Management portal]
2. Click [Groups]
3. Choose [New Group]
4. Fill in the details

Name: All Devices – Windows 10 1809
Type: Dynamic Device
Rule: (device.deviceOSVersion -contains “10.0.17763”) -and (device.DeviceOSType -startsWith “Windows”) -and (device.managementType -eq “MDM”)

5. Create another group for 1903 devices

Name: All Devices – Windows 10 1903
Type: Dynamic Device
Rule: (device.deviceOSVersion -contains “10.0.18362”) -and (device.DeviceOSType -startsWith “Windows”) -and (device.managementType -eq “MDM”)

The provided query checks the Operating System for Windows, the Version for 1809 or 1903 and if the device is managed by (intune) MDM.

It could take some time before the groups are provisioned.

Create a Security Baseline Profile

Here are the steps you need to take to create a Security Baseline Profile.
1. Go to your [Microsoft 365 Device Management portal]
2. Click [Security Baselines]
3. Choose the available [Windows 10 Security Baseline]
4. Click [Create Profile]

Now we are going to configure the Profile.

Name: Windows 10 – 1903 – Security Baseline
I would recommend picking a name so you can quickly identify the policy.

Description: You can leave it empty or fill in a description.
Configuration Settings: Leave default for now.
Scope Tags: Leave default for now.
Assignments: Assign the groups you created in the previous part.
– All Devices – Windows 10 1903
– All Devices – Windows 10 1809
Review: Review your settings

5. Click [Create]

Monitor the Security Baseline

You can monitor the created baseline by going to [Profiles] and choose the [ Windows 10 – 1903 – Security Baseline]

At the [Overview] part we can see that there is a conflict with one of the devices.

The Security Baseline posture by category indicates where to look for the misconfiguration.

You can click trough the [Per-Setting status] to filter on which specific settings are in conflict or have an error.

In my case it is a “misconfigured” Windows Hello for Business-profile assigned to the device that conflicts with the Security Baseline.

I had to go into Intune and change the assigned Windows Hello for Business profile to fit the baseline. After the change all lights are green.

Change the default settings

You can always modify the current baseline settings to fit your own organisational needs.
Let say you want to display toast notifications on the Windows 10 lockscreen. The default setting in the current baseline policy is to Block those notifications.

You can do this at the [Properties] part of the Windows 10 – 1903 – Security Baseline
1. Click [Edit] at Configuration Settings
2. Go to “Above Lock” and select “yes” to [Not Configured]
3. Click [Review + Save] and check the summary
4. Click [Save]

After a while the monitoring information is updating and the PC matches the baseline.

Good luck testing it for yourself!

Future
When a new(er) version of the baseline is released I will take a closer look and blog about it on how to compare settings and migrate from one baseline to another.

1 thought on “Getting started with Security Baselines in Microsoft Intune

  1. Rodrigo Zaninetti

    Hi Stefan, how are you?

    I appreciate your article.

    Please, how can I manage this configurations on Intune Portal? we have working in Intune, however we appreciate use this baseline to import this configurations to Intune… it have been hard work manage this baseline created on MDM portal and it is not showing on Intune policies … Any Solution about this?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *