Blog Post

Microsoft Intune Blog
4 MIN READ

Microsoft Intune announces general availability of security baselines

Dilip_Radhakrishnan's avatar
Jul 09, 2019

Microsoft Intune is excited to announce general availability of Windows MDM Security Baselines. A new version of security baselines is also being released at the same time, identified as MDM Security Baseline for Spring 2019 Update (19H1). This is a new template that includes several new settings and some other updates. Please refer to the documentation for a detailed list of what's changed in the new template

 

A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. Industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, increases efficiency and reduces costs compared to creating them all by yourself. These settings are continually updated with feedback from Microsoft security engineering teams, product groups, partners, and real-world learning from thousands of customers. Microsoft security baselines provide intelligent recommendations that are relevant to the needs of your business, based on your IT infrastructure.

 

Attach the power of intelligent cloud

 

Microsoft has years of experience publishing security baselines as Group Policy Objects in the Security and Compliance Toolkit (SCT). Customers have trusted this toolkit for years to provide templates to configure security baselines through Group Policy. Microsoft Intune now brings the same collective knowledge and expertise to secure the modern desktop with MDM security baselines.

 

Microsoft recommended security baselines in the Intune service leverage the greatly expanded manageability of Windows 10 using Mobile Device Management (MDM). These security baselines will be managed and updated directly from the cloud – providing customers the most recent and most advanced security settings and capabilities available from Microsoft 365. The same Windows security team that creates Group Policy security baselines has collaborated with Intune engineers to offer their extensive experience for these recommendations. If you're brand new to Intune, and not sure where to start, then MDM security baselines give you an advantage. You can quickly create and deploy a secure profile to help protect your organization's resources and data. If you're currently using Group Policy, migrating to Intune for management is much easier with these baselines natively built into Intune's modern management platform.

 

 

Intune MDM security baselines leverage intelligent cloud insights to deliver unique benefits beyond the security and compliance toolkit:

 

  • In-depth reporting on the state of each setting in the baseline on every device in your organization
  • A first-class policy interface using familiar Intune policies to easily customize and deploy a baseline with MDM 

You may choose to create security policies directly from these baselines and deploy them to users or customize the recommendations to meet the needs of your enterprise. Intune will validate that devices follow these baselines, report on baseline compliance and notify administrators if any devices or users move out of compliance.

 

You can see a list of all available baselines, as well as the contents of each baseline, here: https://docs.microsoft.com/en-us/intune/security-baselines#available-security-baselines

 

Versioning between baselines

 

Alongside GA, Intune is launching a versioning experience that allows you to stay up-to-date as Microsoft updates security baseline recommendations. This means that if you’ve been using the preview baseline, you’ll be able to upgrade to the newly released GA baseline in just a few clicks.

 

  1. Select a baseline. In this example, we’ll examine Windows 10 Security Baselines.

  1. You can review the contents of each version of this baseline family by selecting Versions, then choosing the version you’d like to analyze. You can also select two versions to compare by selecting both in the table and clicking Compare baselines.

 

  1. To upgrade a profile from one baseline version to another, go to Profiles, choose the profile you’d like to upgrade, and select Change Version.

 

 

  1. In the upgrade experience, you can choose to review the changes that the upgrade will make, as well as decide whether you’d like to:
  • Accept baseline changes but keep my existing setting customizations: This will retain any setting customizations you made in the original profile.
  • Accept baseline changes and discard my existing setting customizations: This will overwrite all customizations from the original profile and apply the new baseline recommendations wholesale.

After you make this decision, Intune will automatically update the profile to adhere to the upgraded baseline.

 

Next steps


If you are a Microsoft Intune customer, look for the Security Baselines GA to be available in your tenant over the next few days as the global roll-out completes.


If you require any help with your deployment, Microsoft offers a variety of resources and support tools to help you succeed. Customers with eligible subscriptions to Microsoft 365, Microsoft Enterprise Mobility + Security (EMS) or Microsoft Intune can request assistance from experts in FastTrack service at no additional cost for the life of their subscription. Whether you are a customer or a partner, FastTrack provides customized guidance for onboarding and adoption, including access to Microsoft engineering expertise, best practices, tools, and resources so you can leverage existing resources to plan your deployment.

 

More info and feedback

Learn how to get started with Microsoft Intune using our detailed technical documentation. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!

 

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

 

Follow @MSIntune on Twitter

Updated Oct 10, 2019
Version 3.0
  • DugTan's avatar
    DugTan
    Brass Contributor

    Thanks for the info. Great to see the Intune Security Baseline AND Administrative Templates are out of Preview.. Sadly I did not see any announcement for the Administrative Template Preview and only stumbled upon this post for the Security Baseline. 

     

    Is there still no way to export Security Baselines or Administrative Template Profiles?

     

    Thanks Doug

  • m_krone's avatar
    m_krone
    Brass Contributor

    Having problems with current status of the baselines.

    I created  complete new baselines on new devices but it takes ages to see a status in Intune.

    I also have 3 states that are complete different and not having the current values:

    - Baseline - Overview

    - Profile - Overview

    - Per-setting status

    All of them showing me different states and only the "Per-setting status" is the nearest to the current state on the end device.

    I also have this profiles deployed weeks ago...

    Any idea?