With the 2101 Service Release of Microsoft Intune, released this week (February 1, 2021) Microsoft released a lot of new features (more on that in other blogposts). One of the important changes in this service release is the fact that the security baselines for Windows 10 and Microsoft Defender for Endpoint (formerly Microsoft Defender ATP) have been updated. The security baseline for Microsoft Edge hasn’t been updated.
I consider the baselines the foundation you use to build your modern workplace. They contain a set of recommended settings coming from Microsoft on how to configure your Windows 10 devices, Microsoft Defender for Endpoint settings or Microsoft Edge settings.
With the release of the MDM Security Baseline for December 2020, the August 2020 version has become deprecated. This means that if you have implemented the August 2020 version, your profile is now read-only and you cannot edit its settings anymore. If you want to edit the settings in the security baseline, you must perform an upgrade first, after which the baseline can be modified again. This same principle is valid for the baselines of Microsoft Defender for Endpoint and Microsoft Edge.
For more information about what is in the baselines, see:
Microsoft doesn’t detail what’s changed in their documentation, but you can easily find out for yourself
You can compare the available security baselines with each other. You can do this from the profiles section by selecting 2 baselines and clicking on “Compare baselines”.
If you click on compare baselines, you will be prompted to download an .CSV file. The CSV mentions whether the settings are added or removed, equal or not equal. So, if you want to know what changed, simply filter on added, not equal and removed and you’ll have your changes.
You can update your profiles by selecting the profile, and clicking “Change Version”. You can then select the security baseline version you want to update to, and whether or not you want to keep your custom settings from the baseline you want to upgrade. Once upgraded, the exclamation mark will be removed, and you can see that the version is updated to December 2020.
The Security baselines really add value to your Modern Workplace. Using the Microsoft provided best practices is really helpful if you want to setup a Modern Workplace solid basis. The functionality to compare the baselines is really handy, and it’s really easy to upgrade your version of the baseline, while maintaining the customizations you created.
The security baselines have some disadvantages though, personally I would rather have seen that Microsoft provided a set of Configuration Profiles combined in a policy set. See my article: What are Intune Policy Sets? Looking at what the current policy sets can do, and which scenarios are not supported I don’t think that policy sets are usable though. Some challenges you will face with implementing Security baselines, is that they might contain settings which you already have set with a Configuration Profile, in that case you might have a conflict reported and since the security baseline sometimes uses other naming for a setting, finding the conflicting settings sometimes is a challenge.