MSEndpointMgr

Configuring Security Baselines in Microsoft Intune

Announced back at Ignite in September was something that along with ADMX settings was high on the list of the wish list for Intune administrators, this of course was Security Baselines.

For those reading this who do not know what Security Baselines are, Microsoft release a set of pre-configured group policy objects which provide a best practice when it comes to securing your Windows and Office environments (for this post read the Windows baseline document – https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-baselines).

Up until this point it was of course possible to secure Intune managed Windows devices using local non-admin group policy exports, CSP policies or PowerShell scripts however this was very much a time consuming manual process.

When members of the Intune community initially discovered ADMX was on the horizon it was typically one of the first questions that was asked, would it be possible to import security baselines so Microsoft have delivered here in the first public preview of the feature.

First of all this is not an import type process, the baselines (Windows only at the time of writing) are all pre-configured, however you can enable or disable individual settings as required.

How to apply a security baseline

The first thing here you will notice is that the Security Baseline gets is own blade;

You can also access the baseline settings directly from within the Intune blade;

  • Create A New Security Baseline Policy
    Click on the Security Baselines blade and then click on the “PREVIEW: MDM Security Baseline for October 2018 (beta)” box

  • Create Profile
    Click on the “+ Create Profile” button

  • Give the profile a name

  • Customise Baseline Settings
    Here you can set individual setting values, allowing you to over-ride specific settings where required

  • Apply The Policy
    Click on the newly created policyClick on AssignmentsAssign to your required selected group(s)

Verifying Customised Settings Deployment

In the below example I have changed the default event viewer maximum log threshold for both applications and system logs;

  • Edit Required Setting
    Here I have set the system log down to the minimum threshold value of 32768 KB and the application log down to 16384 KB

  • Verify Applied Setting
    As you will see in the below screenshot, the settings were successfully applied

    You can also verify that settings have been made in a more investigative manner in the system event logs. Expanding the

    Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin log you will see event ID 814 when settings are applied. Below you can see the detail in the settings payload applied for the EventLogService system log:

Conclusion

The introduction of Windows Security Baselines into Intune device management is yet another stride forward by Microsoft to remove the blocking components that organisations have when it comes to transitioning to the modern management workplace. Sure CSP settings and other work around methods are out there, however when Microsoft releases the next baseline setting list then it can result in a sizable amount of work to update your clients, whereas here it should be a method of simply consuming the new settings pushed down from Microsoft.

As always I would urge you to pass back feedback to Microsoft to help drive the development of these additional management tools as they understand that you are the people on the ground, moving away from traditional GPO managed environments and often see things from a different perspective.

Thanks for reading.

Maurice Daly

Maurice has been working in the IT industry for the past 20 years and currently working in the role of Senior Cloud Architect with CloudWay. With a focus on OS deployment through SCCM/MDT, group policies, active directory, virtualisation and office 365, Maurice has been a Windows Server MCSE since 2008 and was awarded Enterprise Mobility MVP in March 2017. Most recently his focus has been on automation of deployment tasks, creating and sharing PowerShell scripts and other content to help others streamline their deployment processes.

Add comment

Sponsors

Categories

MSEndpointMgr.com use cookies to ensure that we give you the best experience on our website.