Manage Intune Security Baseline
The article is part of a series of articles intended to help you to manage, deploy recommendations and perform operations in Microsoft Intune.
This article focuses on the capabilities and the way to deploy Intune Security Baseline part 1.
Security should always be at the forefront of our thinking these days. Recently, announced that Microsoft has finally released a security baseline for Intune that should help many us of dealing with custom security policies and improve standardize our methods for hardening devices.
The Intune security baseline intend for the modern workplace, this is well known from GPO world with Security and Compliance Toolkit (SCT).
When doing Windows 10 management we must look at the security part of hardening Windows 10 devices, and Intune security baseline is built on Windows Security Baseline and it’s a great starting point, from there you can add or remove settings so that your users can still do there work and your line of business applications are working as expected with a secure way.
Intune Security Baseline
With the release of Microsoft Intune 1901 its finally got the security baseline. This is a good starting point for Microsoft and his security baselines (Windows 10 October 2018 release), here are the settings Microsoft will configure to ensure the best protection. Up to you to modify these settings and enable yours owns. This list and settings will grow, following the consumer needs and best practices.
- Above Lock
- App Runtime
- Application Management
- Auto Play
- Credentials Delegation
- Credentials UI
- Data Protection
- Device Guard
- Device Installation
- Device Lock
- Event Log Service
- Exploit Guard
- File Explorer
- Internet Explorer
- Local Policies Security Options
- MS Security Guide
- MSS Legacy
- Remote Desktop Services
- Remote Management
- Remote Procedure Call
- Smart Screen
- Windows Connection Manager
- Windows Defender
- Windows Ink Workspace
- Windows PowerShell
For a full description of all Intune Baseline security: Windows security baseline settings for Intune
This baseline is built as a generic infrastructure that allows importing other security baselines based on CIS, NIST, and other standards. Currently, it’s available only for Windows and will maybe eventually include other operating systems such as iOS and Android.
Configure Intune Security Baseline
To configure the Intune Security Baseline follow these actions:
- Go to Intune portal http://aka.ms/Intuneconsole
- From the menu choose Security Baseline and choose again Preview: MDM Security Baseline for October 2018
- From this the profile page choose
- Next, make sure your basic settings are configured with the following settings:
- Baseline (based on your tenant it can be different)
- After creating the profile with Basic settings you need to configure settings itself and depends on your policy requirement. this can be done with the following actions:
- Go to Profile and choose Hardening Policy (the profile name of your policy)
- From this point, you can start configuring your setting’s policies
- Once you did with your settings and configurations make sure to save all changes
- Next, make sure to assign the policy to the relevant group
Note: If this the first time that you’re configure the Baseline Security dont choose production group
The Intune Security Baselines is another stride forward by Microsoft to remove the blocking components that organizations have when it comes to transitioning to the modern management workplace. When Microsoft releases the next baseline setting list then it can result in a sizable amount of work to update your clients, whereas here it should be a method of simply consuming the new settings pushed down from Microsoft.
- For more information about Intune: https://www.eshlomo.us/tag/intune
- MDM Security Baselines to secure the modern workplace: https://techcommunity.microsoft.com/t5/Enterprise-Mobility-Security/Microsoft-Intune-introduces-MDM-Security-Baselines-to-secure-the/ba-p/313442