Microsoft Intune is excited to announce general availability of Windows MDM Security Baselines. A new version of security baselines is also being released at the same time, identified as MDM Security Baseline for Spring 2019 Update (19H1). This is a new template that includes several new settings and some other updates. Please refer to the documentation for a detailed list of what’s changed in the new template.
A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. Industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, increases efficiency and reduces costs compared to creating them all by yourself. These settings are continually updated with feedback from Microsoft security engineering teams, product groups, partners, and real-world learning from thousands of customers. Microsoft security baselines provide intelligent recommendations that are relevant to the needs of your business, based on your IT infrastructure.
Attach the power of intelligent cloud
Microsoft has years of experience publishing security baselines as Group Policy Objects in the Security and Compliance Toolkit (SCT). Customers have trusted this toolkit for years to provide templates to configure security baselines through Group Policy. Microsoft Intune now brings the same collective knowledge and expertise to secure the modern desktop with MDM security baselines.
Microsoft recommended security baselines in the Intune service leverage the greatly expanded manageability of Windows 10 using Mobile Device Management (MDM). These security baselines will be managed and updated directly from the cloud – providing customers the most recent and most advanced security settings and capabilities available from Microsoft 365. The same Windows security team that creates Group Policy security baselines has collaborated with Intune engineers to offer their extensive experience for these recommendations. If you’re brand new to Intune, and not sure where to start, then MDM security baselines give you an advantage. You can quickly create and deploy a secure profile to help protect your organization’s resources and data. If you’re currently using Group Policy, migrating to Intune for management is much easier with these baselines natively built into Intune’s modern management platform.
Intune MDM security baselines leverage intelligent cloud insights to deliver unique benefits beyond the security and compliance toolkit:
- In-depth reporting on the state of each setting in the baseline on every device in your organization
- A first-class policy interface using familiar Intune policies to easily customize and deploy a baseline with MDM
You may choose to create security policies directly from these baselines and deploy them to users or customize the recommendations to meet the needs of your enterprise. Intune will validate that devices follow these baselines, report on baseline compliance and notify administrators if any devices or users move out of compliance.
You can see a list of all available baselines, as well as the contents of each baseline, here: https://docs.microsoft.com/en-us/intune/security-baselines#available-security-baselines
Versioning between baselines
Alongside GA, Intune is launching a versioning experience that allows you to stay up-to-date as Microsoft updates security baseline recommendations. This means that if you’ve been using the preview baseline, you’ll be able to upgrade to the newly released GA baseline in just a few clicks.
- Select a baseline. In this example, we’ll examine Windows 10 Security Baselines.
- You can review the contents of each version of this baseline family by selecting Versions, then choosing the version you’d like to analyze. You can also select two versions to compare by selecting both in the table and clicking Compare baselines.
- To upgrade a profile from one baseline version to another, go to Profiles, choose the profile you’d like to upgrade, and select Change Version.
- In the upgrade experience, you can choose to review the changes that the upgrade will make, as well as decide whether you’d like to:
- Accept baseline changes but keep my existing setting customizations: This will retain any setting customizations you made in the original profile.
- Accept baseline changes and discard my existing setting customizations: This will overwrite all customizations from the original profile and apply the new baseline recommendations wholesale.
After you make this decision, Intune will automatically update the profile to adhere to the upgraded baseline.
If you are a Microsoft Intune customer, look for the Security Baselines GA to be available in your tenant over the next few days as the global roll-out completes.
If you require any help with your deployment, Microsoft offers a variety of resources and support tools to help you succeed. Customers with eligible subscriptions to Microsoft 365, Microsoft Enterprise Mobility + Security (EMS) or Microsoft Intune can request assistance from experts in FastTrack service at no additional cost for the life of their subscription. Whether you are a customer or a partner, FastTrack provides customized guidance for onboarding and adoption, including access to Microsoft engineering expertise, best practices, tools, and resources so you can leverage existing resources to plan your deployment.
More info and feedback
As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.
Follow @MSIntune on Twitter