Event banner
Safeguard devices and data with Microsoft Intune for endpoint security
Event details
Make the most of the latest updates and trends in technology. Join us for a comprehensive guide on how to better secure your devices and data from cyber threats. Don’t miss our top 5 tips for endpoint security that will help keep you safe and productive.
This session is part of the Microsoft Technical Takeoff: Windows + Intune. Add it to your calendar, RSVP for event reminders, and post your questions and comments below! This session will also be recorded and available on demand shortly after conclusion of the live event. |
- PanuSaukkoIron ContributorWindows Security baseline has not been updated for a long time. When will an updated Windows 10/11 security baseline be released?
- Julia_IdaeworMicrosoft
Hi Panu! Thanks for your feedback. There's kind of a long answer for this. The primary reason for the prolonged update cycle in Intune stems from a combination of factors, including a one-time internal dependency on a separate team within Microsoft whose fix has an ongoing deployment, the complexity of integrating new settings on the new unified settings platform, and a thorough testing process to guarantee the reliability and stability of the baselines. The aforementioned fix was deployed for the Edge baseline which is why it was finally updated in Intune after a long stretch of no updates (btw, the latest update for the Edge baseline in Intune will be released in two weeks!!). Although the fix has yet to be deployed for the Windows baseline, it is ~80% complete and we are currently in testing/validating phases. The fix is taking particularly longer to validate for the Windows baseline due to the vast amount of settings (100+). We are committed to maintaining the integrity of our service and ensuring that any changes we implement meet the stringent standards required for enterprise-grade solutions. I understand that your teams require the latest features and security enhancements promptly and I can assure you we are not minimizing the importance and urgency of this. As we update these baselines, the good news is that the new infrastructure based on the unified settings platform will significantly reduce the turnaround time for baseline updates. These updates will not only improve the speed of delivery but also enhance the overall performance and functionality of the Intune baselines. We value your feedback, and it is instrumental in driving our commitment to continuous improvement. Your satisfaction is our top priority, and we are dedicated to providing you with a more seamless and efficient experience within Intune!
- MattWailes80Copper Contributor
Thank you Julia, are the upcoming changes to the Security Baselines documented anywhere? It will be helpful for me to show my clients as they look to implement these in the near term. Thank you.
- SteveThomasMicrosoftWindows 11's baseline was recently updated for 23H2: https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-23h2-security-baseline/ba-p/3967618
- hozefajhabuawalaOccasional ReaderSteve these new baselines are published in admx format and currently there is a limit of importing only 10 ADMX in tenant. so does Microsoft has any plan to increase this limit ?
- MichaelHildebrandMicrosoftAlso, as an FYI, the LAPS pwd can also be obtained via the Entra ID 'devices' page for a given device... 🙂
- Joe_LurieMicrosoftBONUS TIP for the bonus tip!
- RobdeRoosIron ContributorAdditional Question. Can that be hidden for specific roles?
- MichaelHildebrandMicrosoftThere are RBAC controls for LAPS in Intune and Entra ID. I'm not sure if it would 'hide' the UI element or only gray it out. https://learn.microsoft.com/en-us/mem/intune/protect/windows-laps-overview#role-based-access-controls-for-laps AND/OR https://learn.microsoft.com/en-us/mem/intune/protect/windows-laps-overview#role-based-access-controls-for-laps
- CENSSBrass Contributor
Hello. Excellent presentation. When we used ASR Device Control policy, the deployment was fine, but removing the policy from a device, by excluding, the removal worked fine, however, we needed to manually fix the registry to fully remove the policy settings as the removal by Intune ASR succeeded but there were left-over configs on the local computers' registry that still blocked USB storage or printing access, which was unexpected as the policy was no longer applied (as verified by the Intune console). The policy was to disable access to local USB Storage on select computers. It looks like exclusion in ASR worked and was applied, but we needed to manually clear the registry settings which was painful...deploying a ASR policy with opposite configs worked, but was not as successful as the manual registry "clean up". Thoughts? Thank you.
- mikedanoMicrosoftI've heard this before, and while I don't have much to share at the moment, this is something we are looking into.
- HeyHey16KSteel Contributor
We have seen this happen with a lot of Intune policies - you revoke the policy or exclude from it and the settings have tattoo-ed. Would be great if there could be a perm fix for this. Group policy did tattoo a few things but not to this extent. It's logged in the Feedback portal here: https://feedbackportal.microsoft.com/feedback/idea/c636d31c-e398-ee11-a81c-0022484f9f6d
- Nathan_LockwoodBrass ContributorThe ASR reusable features is way better then using the custom profile OMA-URI solution.
- mikedanoMicrosoftWe're glad you like it!
- JereSepCopper ContributorCan we set LAPS passwords to not use i or l and O and 0 for easier readability?
- mikedanoMicrosoftThanks for your question Jere, I don't think this is currently configurable, or set by default. I will take this as feedback as I can certainly relate to the issue you raise 🙂
- Derrick_ConnorsCopper ContributorCan you advise what support Intune has for implementing https://www.cisecurity.org/cis-benchmarks?
- mikedanoMicrosoftWe are working with our friends in Windows to add support for some of the settings previously only available via GPO. Once we have these added, we are exploring ways to make this a streamlined experience for admins. I don't have additional details to share now. Also see part of Julia's comment below: "[...]We are planning to support the STIG baseline in Intune eventually, but it’ll be alongside other 3rd party security baselines which are in the backlog, but no concrete timelines that I can share just yet. Right now, our main priority is getting all the existing baselines updated & released before we look at supporting 3rd party baselines."
- treestryderSteel ContributorWe have a need to implement Defense Information Systems Agency's Security Technical Implementation Guide (STIG). This has been made a requirement before we can upgrade to Windows 11. Does Microsoft have guidance or a simplified method to "STIG" Windows 11? Security Baselines look related, but would require a lot of research to determine where there is a union between the two.
- Julia_IdaeworMicrosoftHi Nathan, thanks for your feedback! We are planning to support the STIG baseline in Intune eventually, but it’ll be alongside other 3rd party security baselines which are in the backlog, but no concrete timelines that I can share just yet. Right now, our main priority is getting all the existing baselines updated & released before we look at supporting 3rd party baselines.
- RobdeRoosIron ContributorSomething I am missing in securing devices of our customers is AppLocker or WDAC without the difficult configuration of it in Intune. I hope it will get easier to configure.
- Quoc LaiMicrosoftWe recently made preview App Control for Business that support a more simplified UI way of applying WDAC and Managed Installers. Refer to docs for more details: https://learn.microsoft.com/en-us/mem/intune/protect/endpoint-security-app-control-policy
- Char_CheesmanBronze Contributor
Welcome to Safeguard devices and data with Microsoft Intune for endpoint security and the second annual Microsoft Technical Takeoff for Windows + Intune! Have a question? Post here in the Comments so we can help. Let’s make this an active Q&A!
- RobdeRoosIron Contributor
Youtube stream seem to be starting a bit late. It only just popped up in the middle of the demo.
- mikedanoMicrosoftThanks for the feedback. The whole video is now available on this page.