Intune Security Baselines - What are they and how to use them?

on
Security baselines are intended to make it easier to configure security-related settings in Windows or Edge. They are available from Microsoft as Group Policy packages, or they can be configured through the interfaces for mobile device management such as Intune.


In my opinion, they are mainly intended for clients who have limited experience with Intune and/or security, i.e., s mall organizations with limited (or no) in-house IT resources . An example of “limited resources” (or experience) could be if you are interested in Attack Surface Reduction rules but aren't sure where to begin the learning process.

But buyer beware! Even if these baselines are considered de facto must-set settings by Microsoft, you may still be limited depending on what licenses you have - in particular the Defender for Endpoint baseline.


Comparing Baselines

As of writing, there are four separate baseline profiles to choose amongst: Windows 10; Defender for Endpoint; Edge; and Windows 365. So what’s included in the different baseline profiles?


Quite a lot. But then again, there’s a lot of overlap. Now going through each category is a far too comprehensive topic to cover in just one blog post so I’ll just be providing a very quick overview in the following section.

My overall aim, however, is to cover as much as I can such as my post on Credential Guard: Protect Windows from pass-the-hash and pass-the-ticket attacks.

In the meanwhile, there is a LOT of documentation from Microsoft themselves. And it is a MUST that any professional working wit Microsoft products become intimately familiar with scouring through MSFT documentation. It’s a skill that needs to be learned just like Google-Fu 😝

Windows 10 Baseline 

The settings in this baseline's default values represent the recommended configuration for applicable devices. Defaults for one baseline may differ from defaults in other security baselines or versions of this baseline.

I will add this detail, however; Browser refers to Edge Legacy so if you want baseline policies that cover the Chromium based version of Edge, then keep reading for an introduction to the Microsoft Edge Security Baseline.

Defender for Endpoint Baseline



Microsoft Edge Baseline 

Again, all of this is pretty self-explanatory except that these policy settings are only valid for the Chromium based version of Edge. So if you want legacy baselines settings (or Internet Explorer), then Windows 10 MDM is the baseline you're looking for.


Windows 365 Security (Preview) Baseline 

This baseline was initially released shortly after Microsoft announced their 365 alternative to Azure Virtual Desktops and it is basically a mix of the other three baselines we already covered. Without "officially" labelling this as a 365 Desktop centric baseline, when you look at what's included (and excluded), it's pretty obvious. But without going into a lot more detail; I offer the bullet points showing the difference between this and the Windows 10 MDM (and other) security baselines:

  • Power is not part of the 365 baseline.
  • Wi-Fi is not part of the 365 baseline.
  • The full Microsoft Edge baseline is copy/pasted into 365.
  • Microsoft Defender from the DfE baseline is copy/pasted into 365.
  • Attack Surface Reduction rules from the DfE baseline is copy/pasted into 365.
  • Microsoft Defender Antivirus Exclusions from Simplified security policies* is copy/pasted into 365.
  • Data Protection is not part of 365<f
  • Device Lock is not part of 365
*Simplified Security Polices is a topic I intend to write a future blog post about but in the meanwhile you can take a look at this: Manage endpoint security policies in Microsoft Intune | Microsoft Docs.

Overall comparison 

As you can imagine, there is quite a bit of policy overlap if you decide to implement the above baselines. Below you’ll find a table that I I made as a quick reference guide so that I can see which baselines overlap. Now this is a very simplified overview but maybe I can convince work to let me publish some more of our internal documentations 😉. 

The numbers show the total number of policies within a given policy category. So, for example, under Win 10: Internet Explorer; you can see that there are a total 117 policies. Under DfE and Edge, the cells are blank. That means there are no Internet Explorer policies under either policy profile. Conversely, under Firewall, there are 41 policies in the Defender for Endpoint profile vs. only 18 in Win 10 and (obviously) zero in Edge.


Note: You will probably have noticed that for all three baseline profiles that the cells for App & Browser Isolation; Defender AV Exclusions; Endpoint Detection & Response; and Exploit Protection are blank. This is because the above table was adapted from an internal document that I produced for work. So why are they still there?

Because those policy categories are part of Simplified Security Profiles (a topic I intend to cover in a future blog post) and was too lazy to make a new table once I realized my "error". If anything else, think of it as another reminder that you'll really be limiting yourself if you think of baselines as a pump-and-dump rather than a bridge-gap during your security journey. 

Configuring a Baseline

By navigating to Endpoint security  >   Security Baselines, you can view the  available baselines. Select the baseline that you want to profile and apply.


Here you click on  + Create profile , so that you can adjust a certain baseline using Profile (ignore the profile already present. I’ll get to that part under the comparing baselines section later on in this post).


Start by giving your baseline a name.


You can view the baseline settings on the Configuration settings page and customize them as needed for your organization. 

As with the import of GPOs, you will almost never adopt all specifications without first testing them, because doing so could have unintended consequences, such as affecting older applications or systems.


Then assign the desired scope tags that you want to use for a granular narrowing down of the management area using role-based access control (RBAC). Then, on the Assignments screen, add the group(s) from Azure AD so that the baseline is applied to the devices it contains.


Finally, the wizard shows an overview of the changes made. If these are correct, you can create the profile by clicking on Create.


And here’s your first Windows 10 MDM security baseline!


If you ever need to (or want to) change any of the settings, just navigate to Endpoint Security  >  Select your Baseline  >  Properties  >  Edit


That said! Beware of Conflicts!

Just don’t blindly apply baselines! Policy conflicts are likely occur and not always an easy fix. Policies tend to get tattooed to machines and, if something goes wrong, it’s not always as simple as taking a policy and “ turning it off”. 

Sometimes that will work; sometimes you need to overwrite the value with another setting; sometimes you’ll need to just wipe the device. 

Trust me. I know. From hard experience. 

Now I’m not strictly supposed to do this, but I wanted to include an example of a mature tenant (not one of mine!) just to show what sort of things to look out for. In the below screenshot, take notice of the number of errors and conflicts.

The number of errors isn’t too important for our purposes right now as this is due to… well, it’s a long story and this set-up is very much a work-in-progress. But long story short; there are a bunch of different test configurations and not all of them are jiving too well.

So what we’re going to focus our interest on are the conflicts. Clicking on the Profile assignment Status pie chart, you’ll be presented with an overview of… you guessed it… Device status. Again, this is a mature and very much a WIP tenant with a LOT of different configurations we’re currently fixing up.

Anyway, I’m going to select the first device with a conflict.

Here we can see that, apart from all the other configurations, this device has both the Windows 10 MDM and Microsoft Defender for Endpoint security baselines. So what’s in conflict?

If we select one of the baselines in conflict, we can sort the sorting status to see what exactly Intune isn’t happy about. In this example, it appears to be mostly firewall stuff. Let’s just look at the first example. To the right, Intune shows which profile the baseline conflicts with. And from there we can start comparing the two.

Now the point of this post isn’t to provide a detailed troubleshooting guide and I should warn you that Intune won’t always show where the conflict is depending on what type of configuration profile was used to creating the conflicting policy settings. But this is where I would start when something like this arises.

I may be tempted to write a more detailed guide in the future.

 

Summin’ it up

Overall, security baselines in Intune are very quick and easy to configure. They therefore offer a good opportunity to implement the best practices for registered devices. Microsoft Intune Endpoint Security makes it very easy to define and assign compliance policies to machines registered in Azure AD directly or through a hybrid configuration.

So why should you use them? Well, because:

  • Basic security settings recommended by Microsoft themselves
  • Baselines are periodically updated and easy to compare to current baselines
  • It's the fastest method to configure W10, DfE and Edge security
  • Baselines are already configured
  • To configure Edge chromium, Edge Legacy and/or Internet Explorer 
  • Good if the sysadmin only has a little exposure to Intune and/or security e.g. if you’re interested in Attack Surface Reduction rules but not sure where to start
  • Good for small organizations with small (or no) in-house IT and/or greenfield i.e. no ​policies currently in place
  • Already have GPOs and/or device config set-up and just want to leverage security features – FAST

Also, baselines aren’t CIS/NIST compliant out-of-the-box. Firstly, CIS benchmarks can be pretty overkill and is also very dependent on your environment. Secondly, there are some differences, I guess you could call disagreements, between Intune baseline settings and what CIS recommends (e.g. Administrator elevation prompt behavior under Local Policies Security Options) but 99% of time, Microsoft and CIS are in alignment. I just mention this so that you don’t think your organization will be able to pass a CIS audit just by switching a few switches on in Intune.

There is a ton of stuff missing in Intune Baselines that will ultimately require leveraging ingesting ADMX group policy templates; using simplified security profiles; device configuration profiles, custom oma-uri’s; the device catalog; etc.. and ALL of that will (eventually) be covered in future blog posts!

But in the meantime, baselines are a great start if you’re green!


Updating New Security Baseline Releases

It is easy to compare baselines that have been updated . However, even if you don't want to update, your current baseline will become read-only once a new baseline has been released.




The CSV you download is is raw and in the screenshot below I've already formatted the sheet for easier reading. What we're most interested in is what changes between the two baselines have been made. After sorting the F column, it seems the only change has been that Scan scripts that are used in Microsoft browsers has been added. All the other settings appear to be the same.