Announced back at Ignite in September was something that along with ADMX settings was high on the list of the wish list for Intune administrators, this of course was Security Baselines.
For those reading this who do not know what Security Baselines are, Microsoft release a set of pre-configured group policy objects which provide a best practice when it comes to securing your Windows and Office environments (for this post read the Windows baseline document – https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-baselines).
Up until this point it was of course possible to secure Intune managed Windows devices using local non-admin group policy exports, CSP policies or PowerShell scripts however this was very much a time consuming manual process.
When members of the Intune community initially discovered ADMX was on the horizon it was typically one of the first questions that was asked, would it be possible to import security baselines so Microsoft have delivered here in the first public preview of the feature.
First of all this is not an import type process, the baselines (Windows only at the time of writing) are all pre-configured, however you can enable or disable individual settings as required.
How to apply a security baseline
The first thing here you will notice is that the Security Baseline gets is own blade;
You can also access the baseline settings directly from within the Intune blade;
- Create A New Security Baseline Policy
Click on the Security Baselines blade and then click on the “PREVIEW: MDM Security Baseline for October 2018 (beta)” box
- Create Profile
Click on the “+ Create Profile” button
- Give the profile a name
- Customise Baseline Settings
Here you can set individual setting values, allowing you to over-ride specific settings where required
- Apply The Policy
Click on the newly created policyClick on AssignmentsAssign to your required selected group(s)
Verifying Customised Settings Deployment
In the below example I have changed the default event viewer maximum log threshold for both applications and system logs;
- Edit Required Setting
Here I have set the system log down to the minimum threshold value of 32768 KB and the application log down to 16384 KB
- Verify Applied Setting
As you will see in the below screenshot, the settings were successfully applied
You can also verify that settings have been made in a more investigative manner in the system event logs. Expanding theMicrosoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin log you will see event ID 814 when settings are applied. Below you can see the detail in the settings payload applied for the EventLogService system log:
The introduction of Windows Security Baselines into Intune device management is yet another stride forward by Microsoft to remove the blocking components that organisations have when it comes to transitioning to the modern management workplace. Sure CSP settings and other work around methods are out there, however when Microsoft releases the next baseline setting list then it can result in a sizable amount of work to update your clients, whereas here it should be a method of simply consuming the new settings pushed down from Microsoft.
As always I would urge you to pass back feedback to Microsoft to help drive the development of these additional management tools as they understand that you are the people on the ground, moving away from traditional GPO managed environments and often see things from a different perspective.
Thanks for reading.
Maurice has been working in the IT industry for the past 18 years and currently working in the role of Principal Consultant with TrueSec. With a focus on OS deployment through SCCM/MDT, group policies, active directory, virtualisation and office 365, Maurice has been a Windows Server MCSE since 2008 and was awarded Enterprise Mobility MVP in March 2017.