Event banner
Event details
128 Comments
- Heather_Poulsen
Community Manager
- MS publish a new security baseline for each new OS release, but the Windows security baseline in Intune remains the same. Can you publish baselines applicable to OS releases that we can then target to different releases in Intune?
- Mike-Danoski
Microsoft
Thanks for the question Trevor. We have updates to the baselines coming soon. I believe when new recommendations are available, they are backwards compatible to previous versions and should contain the latest security considerations.- It's great that updates are coming, but the update schedule for the Intune Windows security baseline doesn't follow the release schedule for the OS (same for other baselines). The last two baseline updates in Intune are Nov 2021 and Dec 2020. Unless the Intune baselines are updated in sync with the OS release schedule, you effectively have to deploy any delta security policies separately, so the baselines are no longer fully baselines at that point and require additional policy deployments. A big thumbs up if you can update the Intune baselines in sync with the release dates of what they are protecting.
Why do policies with only device scope settings assigned to groups with only devices show separate entries for users in the report?
For example.. my "Test - GPO - Client_Windows_Update_for_Business" policy contains only device settings, and it's scoped to a device, but you can see in the picture of my device's monitor view that the policy has been applied three times. Thanks!
- Mike-DanoskiThank you for your question Eric. Regardless of scope, each user may have a different state for each setting, so we show the results of the check-ins for each unique pair. A pair consists of a device ID and user ID presented at check in and this page shows all combos with the specific selected DeviceID. We've been hearing similar feedback on how to make this report more friendly for a single user device with an associated primary user. Would you prefer to only see the results for the assigned primary user of the device?
Hey Mike, thank you for the detailed explanation. Are these details in Microsoft Docs? (I've searched, and I'm unable to find them.)
Some of the confusion stems from the differing statuses. For example, I am looking at the Test - GPO - Client_Windows_Update_for_Business - Telemetry policy in my screenshot.
There are three unique pairs in my screenshot.
Device / No user = Error
Device / eohlin = Error
Device / eohlin (priv account) = SucceededHow does this even happen? Why could the policy not apply to the device without a user when it's a device scope policy? Why does it work for one user but not the other? (This leads to the other question I asked about the empty error codes and how we should triage this.)
Would you prefer to only see the results for the assigned primary user of the device? In the end, I want to see all green, and if I do not see green, how do I fix it? It also doesn't make sense to me how each user can have a different state for a policy that's not scoped to them. For example, doesn't a device scope setting apply to everyone who logs onto the device, the same, no matter what?Thank you for your time. We appreciate it.
The error codes for CSP setting status "Error" are not helpful. What should be my next step to action this error? Thank you.
- Mike-DanoskiHi Eric, what kind of profile is this?
Hey Mike-Danoski , I hope you are well. Were you able to review my response? Thanks!
- Thanks Mike, awesome stuff. Being able to copy/paste policy, even if we have to use Graph, is really useful.
- Mike-DanoskiThanks for the feedback Paul. 👍
- So, I imported a few ADMX for Chrome and Firefox and created a profile with it. Now the question arises what will happen if I need to update those ADMX to a more current version. I only can delete ADMX but not update them. What happens to the profile if the ADMX that it was based on is no longer imported? What happens if I delete the ADMX and replace it with a newer one? And why do I need to import Windows.ADMX if I want to use chrome.admx?
- Mike-Danoski
A few questions here so let's go:
1. If you attempt to delete an import that has contents that are currently in use, the delete will not complete and it will show you a message letting you know you have to remove the policy first.
2. When new settings are available, you can either back out and delete the import and import the latest version, or create a new file with only the new settings and upload it as a delta. We plan to add upgrade in the future.
3. The Chrome ADMX specifies it's namespace as Chrome using both Google and Windows namespaces, so both must be available for reference for the upload to work.We did some work to remove the requirement for Windows.admx since we already have that available globally, but we hit an issue, had to roll that back, and are working on resolving this in the future.
- Also interested in this
- Our firewall settings are configured in Group Policy. We used the MS firewall tool to import them into Intune but they import into the old/decommissioned Intune firewall templates, not the new ones?
- Mike-DanoskiHi Michelle, which import tool are you referring to?
- policy preference/ordering when will this be happening, baselines are great, but we need a way to set exception groups.
- Mike-DanoskiHi Robert, thanks for the feedback on assignments and grouping. For the current best practices, I would point to this blog by Mr. Duffy. https://techcommunity.microsoft.com/t5/intune-customer-success/intune-grouping-targeting-and-filtering-recommendations-for-best/ba-p/2983058
- FYI - The script examples shown are using ADAL for authentication which is EOL in 2 months.
- Mike-DanoskiThanks for pointing this out James, I'll forward your feedback to the contributers.
- For Office baseline will the Office Cloud App Policy be integrated into that?
- Mike-DanoskiHi Danea, the Office Baseline in Intune will be based off this content: https://learn.microsoft.com/en-us/deployoffice/security/security-baseline.
