Announced back at Ignite in September was something that along with ADMX settings was high on the list of the wish list for Intune administrators, this of course was Security Baselines.

For those reading this who do not know what Security Baselines are, Microsoft release a set of pre-configured group policy objects which provide a best practice when it comes to securing your Windows and Office environments (for this post read the Windows baseline document – https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-security-baselines).

Up until this point it was of course possible to secure Intune managed Windows devices using local non-admin group policy exports, CSP policies or PowerShell scripts however this was very much a time consuming manual process.

When members of the Intune community initially discovered ADMX was on the horizon it was typically one of the first questions that was asked, would it be possible to import security baselines so Microsoft have delivered here in the first public preview of the feature.

First of all this is not an import type process, the baselines (Windows only at the time of writing) are all pre-configured, however you can enable or disable individual settings as required.

How to apply a security baseline

The first thing here you will notice is that the Security Baseline gets is own blade;

You can also access the baseline settings directly from within the Intune blade;

Create A New Security Baseline Policy

Click on the Security Baseline s blade and then click on the “PREVIEW: MDM Security Baseline for October 2018 (beta)” box

on the s blade and then click on the “PREVIEW: MDM Security Baseline for October 2018 (beta)” box Create Profile

Click on the “+ Create Profile” button

Click on the “+ Create Profile” button Give the profile a name

Customise Baseline Settings

Here you can set individual setting values, allowing you to over-ride specific settings where required

Here you can set individual setting values, allowing you to over-ride specific settings where required Apply The Policy

Click on the newly created policyClick on AssignmentsAssign to your required selected group(s)

Verifying Customised Settings Deployment

In the below example I have changed the default event viewer maximum log threshold for both applications and system logs;

Edit Required Setting

Here I have set the system log down to the minimum threshold value of 32768 KB and the application log down to 16384 KB

Here I have set the system log down to the minimum threshold value of 32768 KB and the application log down to 16384 KB Verify Applied Setting

As you will see in the below screenshot, the settings were successfully applied You can also verify that settings have been made in a more investigative manner in the system event logs. Expanding the Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin log you will see event ID 814 when settings are applied. Below you can see the detail in the settings payload applied for the EventLogService system log:

Conclusion

The introduction of Windows Security Baselines into Intune device management is yet another stride forward by Microsoft to remove the blocking components that organisations have when it comes to transitioning to the modern management workplace. Sure CSP settings and other work around methods are out there, however when Microsoft releases the next baseline setting list then it can result in a sizable amount of work to update your clients, whereas here it should be a method of simply consuming the new settings pushed down from Microsoft.

As always I would urge you to pass back feedback to Microsoft to help drive the development of these additional management tools as they understand that you are the people on the ground, moving away from traditional GPO managed environments and often see things from a different perspective.

Thanks for reading.

(4736)