Deploying Microsoft Intune Security Baselines

Once I had changed the Intune data collection policy to exclude the Windows 10 Pro machines the errors went away, as did the duplicate System account as well. It turns out that the Intune data collection policy gets created when you use Endpoint Analytics as shown how to like a story above. Save the profile and then assign it to users, groups or devices just like any Intune profile. Also, in settings, it says settings are managed by administrator. When I go to PC now, I can see windows defender antivirus Real-time scanning is enabled.

Managing the same setting on the same device through multiple policy types, will result in conflicts and you should give it your best to avoid that . You can avoid conflicts by not using different baselines, instances of the same baseline, or different policy types and instances to manage the same settings. Templates include a logical group of settings, such as device restrictions, kiosk, and more. Use this option if you want to use these groupings to configure your settings. The Microsoft security team consults organizations, such as CIS, to compile its recommendations. But, there isn’t a one-to-one mapping between “CIS-compliant” and Microsoft baselines.

The best practice is to keep those active for better security. Lets verify these two using the below PowerShell commands. Lucky for us are all the ASR rules already in the Configuration Service Provider , so we don’t have to ingest an ADMX file. Configure all Attack Surface Reduction Rules via custom configuration …

Here, both tools work in a complementary fashion to handle workloads in an IT infrastructure. Implement MAM application protection polices for additional settings not covered by baselines, individual Endpoint security, MDM compliance and MDM configuration policies. Security baselines create a Configuration Profile for Windows 10 in Intune. You then apply or assign this profile to your users, groups, and devices.

Amazingly simple to implement across all devices in an organization. The guidance on GitHub suggests that the NCSC’s guidance may be better suited to government or medium/large organizations, but I would suggest that even small businesses consider implementing these policies. It takes an exceptionally long time to implement the baseline with no importable JSON or PowerShell scripts to ease the implementation.

There is a baseline for Windows 10 security, Microsoft Defender ATP and Microsoft Edge already. Microsoft recently announced that an Office baseline will soon be available. It will then complete the Autopilot configuration as seen above. The reason for this is in Endpoint Manager a user has already been assigned to the device. Once I select Autopilot Reset in Endpoint Manager, any active user will receive the above message that they have 45 minutes before the targeted machine is forcibly rebooted. I will fast track that process by manually rebooting the workstation to commence the Autopilot reset process.

When I log in to this device, I noticed the user has turned off the Windows defender antivirus protection. Select the Security Baseline you want to update and open the Versions tab, select both your current version and the new one and click Compare baselines. If you want to apply a less restrictive profile, some devices may need to be retired and re-enrolled in to Intune. That means that you may have to retire and re-enroll Android, iOS/iPadOS, or even Windows devices. Change the version – Change the baseline version in use by a profile.

Comments are closed.