Updating your Security baselines in Microsoft Endpoint Manager to a newer version

With the 2101 Service Release of Microsoft Intune, released this week (February 1, 2021) Microsoft released a lot of new features (more on that in other blogposts). One of the important changes in this service release is the fact that the security baselines for Windows 10 and Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) have been updated. The security baseline for Microsoft Edge hasn’t been updated.

I consider the baselines the foundation you use to build your modern workplace. They contain a set of recommended settings coming from Microsoft on how to configure your Windows 10 devices, Microsoft Defender for Endpoint settings or Microsoft Edge settings.

Compliance policy Microsoft Edge Baseline Microsoft DefenderforEndpoint MDM Security Baseline Windows 10 Modern Work lace

With the release of the MDM Security Baseline for December 2020, the August 2020 version has become deprecated. This means that if you have implemented the August 2020 version, your profile is now read-only and you cannot edit its settings anymore. If you want to edit the settings in the security baseline, you must perform an upgrade first, after which the baseline can be modified again. This same principle is valid for the baselines of Microsoft Defender for Endpoint and Microsoft Edge.

•uołs•a,•, pavoddns 2 sali40'd pavepcsse lle spuacuwa•a' •pave•adap s! uołs'a,•, au!łaseq V

For more information about what is in the baselines, see:

MDM Security Baseline for December 2020

Microsoft Defender for Endpoint baseline for December 2020 – version 6

Microsoft doesn’t detail what’s changed in their documentation, but you can easily find out for yourself

Comparing baselines

You can compare the available security baselines with each other. You can do this from the profiles section by selecting 2 baselines and clicking on “Compare baselines”.

Home > Endpoint security > MDM Security Baseline MDM Security Baseline I Versions x Security baseline P Search (Ctrl+/) Manage Profiles Versions Create profile Compare baselines C_) Refresh use security baselines to improve the security pasture of your organization. p Search by calumn value Security Baseline Windows 10 MOM Securi... Windows 10 MOM Securi... Windows 10 MOM Securi... Preview: Windows 10 MD... Version December 2020 August 2020 May 2019 Fall 2018 v2 Description Windows 10 MOM Security Baseline as ré A This baseline version is deprecated. A This baseline version is deprecated. A This baseline version is deprecated. Number of Profiles Date Published 12/09/20 09/01/20 06/01/19 02/01/19
Compare baselines

If you click on compare baselines, you will be prompted to download an .CSV file. The CSV mentions whether the settings are added or removed, equal or not equal.  So, if you want to know what changed, simply filter on added, not equal and removed and you’ll have your changes.

Display Name Block consumer specific features Block third-party suggestions in Windows Spotlight Scheduled scan start time Block hardware device installation by device identifiers upload XML Definition Id deviceConfiguration- windows10GeneralConfiguration merSpecificFeatures deviceConfiguration- windows10GeneraIConfiguration artyNotifications deviceConfiguration- windows10GeneralConfiguration deviceConfiguration- windows10GeneraIConfiguration Deviceldentifiers deviceConfiguration- windowsSpotlight810ckConsu windowsSpotIight810ckThirdP defenderScheduledScanTime hardwareDeviceInstaIIation8y August 2020 true true NotApplicable ha rdwa reDeviceInsta Blocked", " removeMatchingHardwar OCOA"]} windows10EndpointProtectionConfiguration_defenderExploitPr otectionXml December 2020 false false "notconfigured" NotAppIicabIe NotApplicable Comparison notEqual notEquaI added removed removed
Comparison example

Update baselines

You can update your profiles by selecting the profile, and clicking “Change Version”. You can then select the security baseline version you want to update to, and whether or not you want to keep your custom settings from the baseline you want to upgrade. Once upgraded, the exclamation mark will be removed, and you can see that the version is updated to December 2020.

Home > Endpoint security > MDM Security Baseline I Profiles x Security baseline P Search (Ctrl+/) Manage Profiles Versions Create profile C_) Refresh Export Change Version At least one profile or policy is using a deprecated version. Microsoft recommends thatyou update all policies and profiles to the latestversion. use security baselines to improve the security pasture of your organization. p Search by calumn value Profile Name 124 - Windows 1 0 Security Baseline Current Baseline August 2020 Assigned Last modified 01/31/21, 2:00 PM
Old profile
Home > Endpoint security > MDM Security Baseline I Profiles Change Version x Security baseline P Search (Ctrl+/) Manage Profiles Versions Create profile C_) Refresh Export Change Version At least one profile or policy is using a deprecated version. Microsoft recommends thatyou use security baselines to improve the security pasture of your organization. p Search by calumn value Profile Name 124 - Windows 1 0 Security Baseline Current Baseline August 2020 124 - Windows 10 Security Baseline (Windows 10 MOM Security Baseline Review update Select a security baseline to update to Windows 10 MOM Security Baseline for Decemeber 2020 (D... Select a method to update the profile Accept baseline changes but keep my existing setting customizations Accept baseline changes and discard existing setting Submit customizations Cancel
Update your security baseline
Home > Endpoint security > MDM Security Baseline I Profiles x Security baseline P Search (Ctrl+/) Manage Profiles Versions Create profile C_) Refresh Export Change Version use security baselines to improve the security pasture of your organization. p Search by calumn value Profile Name 124 - Windows 10 Security Baseline Current Baseline December 2020 Assigned Last modified 02/04/21, 3:59 PM
Security baseline updated

Conclusion

The Security baselines really add value to your Modern Workplace. Using the Microsoft provided best practices is really helpful if you want to setup a Modern Workplace solid basis. The functionality to compare the baselines is really handy, and it’s really easy to upgrade your version of the baseline, while maintaining the customizations you created.

The security baselines have some disadvantages though, personally I would rather have seen that Microsoft provided a set of Configuration Profiles combined in a policy set. See my article: What are Intune Policy Sets? Looking at what the current policy sets can do, and which scenarios are not supported I don’t think that policy sets are usable though. Some challenges you will face with implementing Security baselines, is that they might contain settings which you already have set with a Configuration Profile, in that case you might have a conflict reported and since the security baseline sometimes uses other naming for a setting, finding the conflicting settings sometimes is a challenge.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.