Forum Discussion

PatrickF11's avatar
PatrickF11
Steel Contributor
Sep 05, 2019

Security Baselines instead of standalone configs?

Hi everyone,

 

i'm aksing myself why security baselines are useful? At this moment i use device configurations for ATP, Hello, Device restrictions etc..

Why should i use security baselines instead? What are the advantages for me?

 

Thank you in advance. 🙂

Patrick

  • PatrickF11 The benefits would be that you get recommended settings just as we do with the GPO version of the baseline. Each time a new Windows 10 version is released a new version of the baseline for that version will be available. That will save you time and makes it easier to be more secure. 

    Regards,
    Jörgen

  • PatrickF11 The benefits would be that you get recommended settings just as we do with the GPO version of the baseline. Each time a new Windows 10 version is released a new version of the baseline for that version will be available. That will save you time and makes it easier to be more secure. 

    Regards,
    Jörgen

    • Neil Goldstein-EASI's avatar
      Neil Goldstein-EASI
      Copper Contributor

      SweJorgenMVP 

       

      Only Problem is that the Intune Security Baseline for Windows is not keeping up with the Windows Security Baseline.

       

      In Aug 2020 the Intune Windows Baseline on a new tenant with release 2007, the Intune Windows 10 Security Baseline version is May 2019.

       

      Since May 2019 the Windows Security Baseline went final in Nov 2019 [https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1909-and-windows-server/ba-p/1023093 ] but over half a year later and the Intune Security Baseline for Windows 10 hasn't been touched.

       

      It wouldn't be such a problem if Security baseline deployed settings which another policy could tweak, but that causes setting conflicts.

       

      And if you have Windows Security Baseline + Windows Defender ATP Baseline ... you have to be very careful to in your policy changes because both baselines have some overlapping settings (example bitlocker)

       

      • PatrickF11's avatar
        PatrickF11
        Steel Contributor
        These are some reasons why i don't use the baselines. 😕
        By the way: I've opnened up a ticket at MS asking what is the best practice. (So where to configure some settings. Some of them are in the old-fashioned device configuration profiles, some of them are in the baselines, too, and some of them are in the device security blade, too.)
        The supports answer was: Device configuration profiles. 😄

Resources