In my previous post I showed how to create a security baseline. In this post I will show how to upgrade security baselines when a new version has become available. Every few months the security baselines are being upgraded by Microsoft. The configured Security baseline profiles will not be upgraded automatically to the latest version, this is a manual process which you will need to perform. It’s important that you upgrade security baselines because setting of previous versions cannot be modified (see picture 1) and because settings may be added, edited or removed in upgraded security baselines.
Picture 1: Missing Edit button Deprecated Baseline
During the upgrade process new settings will be added to your current security baseline and will use their default settings. If a setting is updated for example: the default security baseline settings changes from “enabled” to “disabled”, it will change to “disabled” during the upgrade of your profile. When you altered (customization) the setting in your security baseline profile, it depends on which update method (step 10) you’ve selected.
Before you upgrade your existing Security baselines you need to know what will change and test the new settings. I would recommend the following upgrade process for Security Baselines:
- Compare existing and new security baseline to determine the differences.
- Create a duplicate of the existing security baseline to test new Security baseline.
- upgrade existing Security baseline to current version.
Upgrade security baseline
Just like in my previous blog I will use the Security baseline policy for edge to demonstrate how to upgrade security baselines.
1. Go to “Endpoint security” -> “Security baselines” or press here. Select “Microsoft Edge baseline”. When there is a deprecated security baseline used for a profile, you will notice a message is being displayed “At least one profile or policy is using a deprecated version. Microsoft recommends that you update all policies and profiles to the latest version.“. The deprecated profile can be recognized by the exclamation mark.
2. To compare the differences between the existing and the new security baseline select “Versions” and check te box of the old and new security baseline. Press “Compare baselines” to download a *.csv file with the differences between the two Security baseline versions.
3. In the downloaded csv every baseline setting is listed including the default setting for the new and current security baseline. In the last column the comparison between the baseline version settings is displayed. (The comparison does not include profile modifications.)
4. Next step is to create a duplicate of your current profile. This duplicate can be used to test the upgrade of the security baseline. Select “Profiles” and press the ellipsis (…) and select “Duplicate”.
5. Enter a name and description for the duplicate profile. The duplicate profile will contain the same settings and uses the same version of the Security baseline as the original profile but will not be assigned.
6. Press “refresh” to refresh the displayed profiles and see the new duplicate profile. Assign the duplicate policy to a testgroup to test the upgrade and see if the settings will cause no issues.
7. To test the upgrade to the latest Security baseline select the “Duplicate” profile by checking the box and press “Change version”
8. The change version blade will be displayed. Select the security baseline version to which you want to upgrade. Press “Review update” this will download a comparison between your current Security baseline settings and the default Security baseline settings of the new version.
9. Check the downloaded comparison file, this is different from the file downloaded at step 3. In this file the settings of the configured profile are compared with the new Security baseline version. In the screenshot the setting “Control which extensions cannot be installed” has been altered to “disabled”. Also a new setting has been added which is disabled in the new version of the Security baseline.
10. Now you need to select the method you want to use to upgrade the profile. There are two options you can select:
Accept baseline changes but keep my existing setting customizations
keep all your customizations from the original baseline version.
Accept baseline changes and discard existing setting customizations
use the default values for all settings in the new baseline version.
Because I’ve made modifications to the my profile I will select “Accept baseline changes but keep my existing setting customizations” and press “Select”.
11. The upgrade will only take a few seconds. When the upgrade has finished, a message is displayed. The current baseline of the duplicated profile will now display the latest version of the Security baseline.
12. Monitor if the security baselines are applied correctly to your testdevices. To see if there are issues which need to be solved before applying the new security baseline to production. Be aware, it can take up to 24 hours the monitoring is being updated. Once the upgraded security baseline has been applied to your testdevices you need to test.
13. Once you’ve confirmed that everything is working fine, you can upgrade the production profile. To upgrade the production profile repeat the steps 7 to 12. After the upgrade the deprecated version notification (step 1) will disappear (unless you still have an old security baseline).
14. In the versions blade the displayed versions will reflect the current situation and only the current version of the Security baseline is displayed in the overview. The upgrade is now completed.
I hope you liked this blog about how to upgrade security baselines. Just leave a reply if you have questions or remarks about this post.