Create Security Baselines to improve security of devices and protect users. Security baselines are sets of recommended settings which created and maintained by Microsoft. In the beginning of 2019 Security baselines became available in Intune (1901 service release). In this blogpost I will show how to create Security Baselines using Intune. More information and news about Security baselines can be found on the Microsoft Security Baselines Techcommunity site.
- Windows 10 Security Baseline
- Microsoft Defender ATP Baseline
- Microsoft Edge Baseline
- Security baseline for Office*
*Security baseline for Office is available, but is not deployed via the Security baselines blade. To apply the security baseline for Office you need to create a policy for Office apps. The baseline settings are preconfigured as a security recommendation. So when you create an policy for Office apps without applying any settings you are basically implementing a Security Baseline for Office apps.
Profiles and Versions
Security baselines consist out of Profiles and Versions. Microsoft maintains and updates the versions of security baselines these contain the recommended settings. To deploy a baseline you need to create a profile based on a baseline. The profile only contains the setting of the version you want to deploy. You do not need to use all the settings which are in the baseline. Some settings you may not want to use because it can block functionality used within your organization. The created profile will be assigned to users and devices. You can create multiple profiles of a Security Baseline version.
In the Versions screen you see the versions which are available and used within your organization. To deploy a version of As you can see in the following screenshot of the versions screen of Microsoft Edge baseline, there are currently two versions within the organization. As you can see in the overview only the “April 2020” version is assigned using a profile (Number of Profiles). In the description of this version you can read “This baseline version is deprecated.” to remind you there is a newer version.
As mentioned before to deploy a security baseline you will need to create a profile. The profile is based on a version of the security baseline. In Picture 2 you can see two profiles, in the column “Current Baseline” you can see on which version baseline it was created. The yellow notification in the top indicates that one of the profiles is using a deprecated version baseline. In my next blog I will show how to upgrade a profile to a newer baseline.
Create Security Baseline
In this tutorial I will demonstrate how to create Security Baseline by creating a new Microsoft Edge Baseline. The same steps can be used to create the Windows 10 or Microsoft Defender baselines.
1. Go to “Endpoint security” -> “Security baselines” -> “Microsoft Edge baseline” or press here. Select “+ Create profile” to setup a Microsoft Edge baseline.
2. Enter a name for the baseline and description (optional). Press “Next” to continue.
3. Select the configuration settings you want to assign. By default all the baseline settings are configured, but you may want to change a settings because it’s needed for a program to function. Also you need to check if the settings in the baseline are not configured in a different configuration policy. This could cause conflicts when the settings are applied to a device. Press “Next” to continue.
4. Add additional scope tags (optional) and press “Next”.
5. Assign the Security baseline to a group. The baseline can be assigned to User groups and device groups for guidance click here. Press “Next” to continue.
6. Review the settings and press “Create” to create and apply the settings to the configured assignment group.
7. Monitor the status of the deployment and test the settings to resolve any policy conflicts.
This is how you create security baselines. Hope you liked this blog.