Menu
Modern Workplace Blog
  • Home
  • About: Kenneth van Surksum
  • Cookie Policy
Modern Workplace Blog
February 4, 2021February 4, 2021

Updating your Security baselines in Microsoft Endpoint Manager to a newer version

With the 2101 Service Release of Microsoft Intune, released this week (February 1, 2021) Microsoft released a lot of new features (more on that in other blogposts). One of the important changes in this service release is the fact that the security baselines for Windows 10 and Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) have been updated. The security baseline for Microsoft Edge hasn’t been updated.

I consider the baselines the foundation you use to build your modern workplace. They contain a set of recommended settings coming from Microsoft on how to configure your Windows 10 devices, Microsoft Defender for Endpoint settings or Microsoft Edge settings.

Compliance policy 
Microsoft Edge Baseline 
Microsoft DefenderforEndpoint 
MDM Security Baseline 
Windows 10 
Modern Work lace

With the release of the MDM Security Baseline for December 2020, the August 2020 version has become deprecated. This means that if you have implemented the August 2020 version, your profile is now read-only and you cannot edit its settings anymore. If you want to edit the settings in the security baseline, you must perform an upgrade first, after which the baseline can be modified again. This same principle is valid for the baselines of Microsoft Defender for Endpoint and Microsoft Edge.

•uołs•a,•, pavoddns 2 sali40'd pavepcsse lle spuacuwa•a' •pave•adap s! uołs'a,•, au!łaseq V

For more information about what is in the baselines, see:

MDM Security Baseline for December 2020

Microsoft Defender for Endpoint baseline for December 2020 – version 6

Microsoft doesn’t detail what’s changed in their documentation, but you can easily find out for yourself

Comparing baselines

You can compare the available security baselines with each other. You can do this from the profiles section by selecting 2 baselines and clicking on “Compare baselines”.

Home > Endpoint security > MDM Security Baseline 
MDM Security Baseline I Versions 
x 
Security baseline 
P Search (Ctrl+/) 
Manage 
Profiles 
Versions 
Create profile Compare baselines C_) Refresh 
use security baselines to improve the security pasture of your organization. 
p Search by calumn value 
Security Baseline 
Windows 10 MOM Securi... 
Windows 10 MOM Securi... 
Windows 10 MOM Securi... 
Preview: Windows 10 MD... 
Version 
December 2020 
August 2020 
May 2019 
Fall 2018 v2 
Description 
Windows 10 MOM Security Baseline as ré 
A This baseline version is deprecated. 
A This baseline version is deprecated. 
A This baseline version is deprecated. 
Number of Profiles 
Date Published 
12/09/20 
09/01/20 
06/01/19 
02/01/19
Compare baselines

If you click on compare baselines, you will be prompted to download an .CSV file. The CSV mentions whether the settings are added or removed, equal or not equal.  So, if you want to know what changed, simply filter on added, not equal and removed and you’ll have your changes.

Display Name 
Block consumer specific features 
Block third-party suggestions in Windows Spotlight 
Scheduled scan start time 
Block hardware device installation by device identifiers 
upload XML 
Definition Id 
deviceConfiguration- 
windows10GeneralConfiguration 
merSpecificFeatures 
deviceConfiguration- 
windows10GeneraIConfiguration 
artyNotifications 
deviceConfiguration- 
windows10GeneralConfiguration 
deviceConfiguration- 
windows10GeneraIConfiguration 
Deviceldentifiers 
deviceConfiguration- 
windowsSpotlight810ckConsu 
windowsSpotIight810ckThirdP 
defenderScheduledScanTime 
hardwareDeviceInstaIIation8y 
August 2020 
true 
true 
NotApplicable 
ha rdwa reDeviceInsta Blocked", " removeMatchingHardwar 
OCOA"]} 
windows10EndpointProtectionConfiguration_defenderExploitPr 
otectionXml 
December 2020 
false 
false 
"notconfigured" 
NotAppIicabIe 
NotApplicable 
Comparison 
notEqual 
notEquaI 
added 
removed 
removed
Comparison example

Update baselines

You can update your profiles by selecting the profile, and clicking “Change Version”. You can then select the security baseline version you want to update to, and whether or not you want to keep your custom settings from the baseline you want to upgrade. Once upgraded, the exclamation mark will be removed, and you can see that the version is updated to December 2020.

Home > Endpoint security > 
MDM Security Baseline I Profiles 
x 
Security baseline 
P Search (Ctrl+/) 
Manage 
Profiles 
Versions 
Create profile C_) Refresh Export Change Version 
At least one profile or policy is using a deprecated version. Microsoft recommends thatyou update all policies and profiles to the latestversion. 
use security baselines to improve the security pasture of your organization. 
p Search by calumn value 
Profile Name 
124 - Windows 1 0 Security Baseline 
Current Baseline 
August 2020 
Assigned 
Last modified 
01/31/21, 2:00 PM
Old profile
Home > Endpoint security > 
MDM Security Baseline I Profiles 
Change Version 
x 
Security baseline 
P Search (Ctrl+/) 
Manage 
Profiles 
Versions 
Create profile C_) Refresh Export Change Version 
At least one profile or policy is using a deprecated version. Microsoft recommends thatyou 
use security baselines to improve the security pasture of your organization. 
p Search by calumn value 
Profile Name 
124 - Windows 1 0 Security Baseline 
Current Baseline 
August 2020 
124 - Windows 10 Security Baseline (Windows 10 MOM Security Baseline 
Review update 
Select a security baseline to update to 
Windows 10 MOM Security Baseline for Decemeber 2020 (D... 
Select a method to update the profile 
Accept baseline changes but keep my existing setting 
customizations 
Accept baseline changes and discard existing setting 
Submit 
customizations 
Cancel
Update your security baseline
Home > Endpoint security > 
MDM Security Baseline I Profiles 
x 
Security baseline 
P Search (Ctrl+/) 
Manage 
Profiles 
Versions 
Create profile C_) Refresh Export 
Change Version 
use security baselines to improve the security pasture of your organization. 
p Search by calumn value 
Profile Name 
124 - Windows 10 Security Baseline 
Current Baseline 
December 2020 
Assigned 
Last modified 
02/04/21, 3:59 PM
Security baseline updated

Conclusion

The Security baselines really add value to your Modern Workplace. Using the Microsoft provided best practices is really helpful if you want to setup a Modern Workplace solid basis. The functionality to compare the baselines is really handy, and it’s really easy to upgrade your version of the baseline, while maintaining the customizations you created.

The security baselines have some disadvantages though, personally I would rather have seen that Microsoft provided a set of Configuration Profiles combined in a policy set. See my article: What are Intune Policy Sets? Looking at what the current policy sets can do, and which scenarios are not supported I don’t think that policy sets are usable though. Some challenges you will face with implementing Security baselines, is that they might contain settings which you already have set with a Configuration Profile, in that case you might have a conflict reported and since the security baseline sometimes uses other naming for a setting, finding the conflicting settings sometimes is a challenge.

Tweet
Follow me
Tweet #WPNinjasNL

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Founding member of:

Recent Posts

  • Azure AD Conditional Access authentication context now also available for Azure AD Privileged Identity Management
  • December 2022 update of the conditional access demystified whitepaper and workflow cheat sheet.
  • Conditional Access public preview functionality reviewed (22H2) – Part 3: Granular control for external user types
  • Conditional Access public preview functionality reviewed (22H2) – Part 2: Conditional Access filters for Apps and Workload Identities
  • Conditional Access public preview functionality reviewed (22H2) – Part 1: Authentication Strength

Books

System Center 2012 Service Manager Unleashed
Amazon
System Center 2012 R2 Configuration Manager Unleashed: Supplement to System Center 2012 Configuration Manager
Amazon
System Center Configuration Manager Current Branch Unleashed
Amazon
Mastering Windows 7 Deployment
Amazon
System Center 2012 Configuration Manager (SCCM) Unleashed
Amazon

Archives

  • February 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • May 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • August 2019
  • July 2019
  • November 2016
  • November 2015
  • June 2015
  • May 2015
  • November 2014
  • July 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • November 2013
  • August 2013
  • April 2013
  • March 2013
  • January 2013
  • December 2012
  • November 2012
  • August 2012
  • July 2012
  • June 2012

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Categories

  • ABM (3)
  • Advanced Threat Protection (4)
  • Announcement (42)
  • Azure (3)
  • AzureAD (65)
  • Certification (2)
  • Cloud App Security (3)
  • Conditional Access (50)
  • Configuration Manager (24)
  • Events (11)
  • Exchange Online (7)
  • Identity Protection (3)
  • Intune (17)
  • Licensing (2)
  • Microsoft Endpoint Manager (35)
  • Mobile Application Management (1)
  • Modern Workplace (65)
  • Office 365 (10)
  • Overview (10)
  • Power Platform (1)
  • PowerShell (2)
  • Presentations (7)
  • Privileged Identity Management (5)
  • Role Based Access Control (2)
  • Security (50)
  • Service Manager (4)
  • Speaking (22)
  • Troubleshooting (4)
  • Uncategorized (11)
  • Windows 10 (14)
  • Windows 11 (4)
  • Windows Update for Business (3)
  • WMUG.nl (16)
  • WPNinjasNL (30)

Tags

#AzureAD #community #conditionalaccess #ConfigMgr #IAM #Intune #m365 #MEM #MEMCM #microsoft365 #modernworkplace #office365 #security #webinar #wmug_nl ATP AzureAD Branding Community Conditional Access ConfigMgr ConfigMgr 2012 Configuration Manager Email EXO Identity Intune Licensing M365 MCAS Modern Workplace Office 365 OSD PIM Policy Sets Presentation RBAC roles Security Service Manager SSP System Center troubleshooting webinar Windows 10

Recent Comments

  • Kenneth on December 2022 update of the conditional access demystified whitepaper and workflow cheat sheet.
  • John Barnes on December 2022 update of the conditional access demystified whitepaper and workflow cheat sheet.
  • Intune Newsletter - 24th February 2023 - Andrew Taylor on Azure AD Conditional Access authentication context now also available for Azure AD Privileged Identity Management
  • Azure AD Conditional Access authentication context now also available for Azure AD Privileged Identity Management | Modern Workplace Blog on A first look at Azure AD Conditional Access authentication context
  • Kenneth on Intune: Choosing whether to assign to User or Device Groups

This information is provided “AS IS” with no warranties, confers no rights and is not supported by the author.

Copyright © 2021 by Kenneth van Surksum. All rights reserved. No part of the information on this web site may be reproduced or posted in any form or by any means without the prior written permission of the publisher.

Shorthand: Don’t pass off my work as yours, it’s not nice.

©2023 Modern Workplace Blog | Powered by WordPress and Superb Themes!
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT