%3CLINGO-SUB%20id%3D%22lingo-sub-1671328%22%20slang%3D%22en-US%22%3ENew%20enhancements%20to%20Security%20Baselines%20in%20Microsoft%20Endpoint%20Manager%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1671328%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3EBy%3A%20Laura%20Arrizza%20-%20Program%20Manager%20%7C%20Microsoft%20Endpoint%20Manager%20-%20Intune%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ESecurity%20baselines%20are%20one%20of%20the%20configuration%20options%20available%20in%20Microsoft%20Endpoint%20Manager%20to%20configure%20Windows%2010%20profiles%20to%20help%20you%20secure%20and%20protect%20your%20devices%20and%20users.%20Security%20baselines%20act%20as%20a%20template%20for%20pre-configured%20groups%20of%20Windows%20settings%20and%20values%20recommended%20by%20security%20experts.%20When%20you%20create%20a%20baseline%20profile%2C%20you%20are%20creating%20a%20template%20of%20multiple%20device%20configuration%20profiles.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20expect%20some%20improvements%20and%20changes%20to%20this%20feature%20area%20which%20are%20highlighted%20in%20this%20post.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1231192699%22%20id%3D%22toc-hId-1233067602%22%20id%3D%22toc-hId-1233067602%22%3EUpdated%20baseline%20content%3C%2FH3%3E%0A%3CP%3EWe%20updated%20the%20existing%20Windows%2010%20MDM%20and%20Microsoft%20Defender%20ATP%20security%20baselines%20to%20the%20latest%20available%20version%20with%20our%202009%20September%20release.%20With%20the%20latest%20versions%2C%20you%20can%20see%20which%20settings%20have%20been%20added%2C%20removed%2C%20and%2For%20modified%20so%20you%20can%20ensure%20your%20endpoints%20stay%20secure.%20Also%2C%20the%20baselines%20have%20been%20refreshed%20to%20address%20any%20conflicting%20setting%20values%20between%20the%20two.%20Now%20with%20the%20updated%20versions%2C%20there%20should%20be%20no%20out-of-the-box%20conflicts.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Security%20Baseline.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F219676i89D3361A4ECE66E6%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Security%20Baseline.png%22%20alt%3D%22Security%20Baseline.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20Windows%2010%20MDM%20security%20baseline%20represent%20the%20recommendations%20for%20configuring%20Windows%20for%20security%20conscious%20customers%20using%20the%20Microsoft%20security%20stack%20or%20a%203rd%20party%20security%20stack.%20The%20Microsoft%20Defender%20ATP%20security%20baseline%20represents%20the%20recommendations%20for%20configuring%20MD-ATP%20for%20customers%20using%20Microsoft%E2%80%99s%20full%20security%20stack.%20Going%20forward%2C%20the%20two%20baselines%20are%20aimed%20to%20be%20serviced%20at%20the%20same%20cadence%20to%20ensure%20the%20content%20does%20not%20contain%20conflicting%20setting%20values%20so%20you%20can%20update%20your%20baseline%20versions%20with%20confidence.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ETo%20update%20your%20baseline%20profiles%20to%20the%20latest%20version%2C%20go%20to%20Endpoint%20Security%20%26gt%3B%20Security%20baselines%20%26gt%3B%20**select%20a%20baseline**%20%26gt%3B%20Versions%20and%20see%20that%20the%20latest%20version%20is%20now%20available.%20To%20understand%20what%20has%20been%20changed%20between%20versions%2C%20use%20the%20checkboxes%20for%20two%20different%20versions%20and%20select%20%E2%80%9CCompare%20baselines%E2%80%9D.%20You%20are%20then%20prompted%20to%20download%20a%20CSV%20file%20that%20shows%20the%20differences%20before%20opting%20to%20update.%20For%20more%20information%2C%20see%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fmem%2Fintune%2Fprotect%2Fsecurity-baselines%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EUse%20security%20baselines%20to%20configure%20Windows%2010%20devices%20in%20Intune%3C%2FA%3E%20to%20learn%20more.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Security%20Baseline%202.png%22%20style%3D%22width%3A%20900px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F219679i744744BEE3C1D440%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Security%20Baseline%202.png%22%20alt%3D%22Security%20Baseline%202.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId--576261764%22%20id%3D%22toc-hId--574386861%22%20id%3D%22toc-hId--574386861%22%3EImprovements%20to%20baseline%20reporting%3C%2FH3%3E%0A%3CP%3EWe%20have%20made%20a%20few%20enhancements%20to%20the%20security%20baselines%20experience%20to%20improve%20our%20reporting%20to%20make%20it%20easier%20to%20monitor%20your%20devices%20targeted%20by%20baseline%20profiles.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EUnder%20%3CSTRONG%3EEndpoint%20Security%20%26gt%3B%20Security%20Baselines%20%26gt%3B%20**select%20a%20baseline**%3C%2FSTRONG%3E%20we%20now%20take%20you%20straight%20to%20the%20list%20of%20profiles%20and%20available%20versions%20that%20are%20in%20your%20tenant.%20Once%20you%20select%20a%20baseline%20version%2C%20you%20can%20see%20information%20on%20the%20baseline%20posture%20states%20across%20your%20devices%20with%20updated%20terminology%20and%20definitions.%20The%20common%20labels%20and%20definitions%20we%20use%20for%20status%20are%20more%20granular%20to%20help%20describes%20the%20intent%20of%20the%20status%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3E%3CSTRONG%3E%22Matches%20baseline%22%3C%2FSTRONG%3E%26nbsp%3Bwill%20update%20to%20%3CSTRONG%3E%22Matches%20default%20settings%22%3C%2FSTRONG%3E%2C%20which%20better%20describes%20the%20intent%20to%20identify%20when%20a%20devices%20configuration%20matches%20the%20default%20(unmodified)%20baseline%20configuration.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3E%E2%80%9CDoes%20not%20match%20baseline%E2%80%9D%3C%2FSTRONG%3E%20will%20update%20to%20%3CSTRONG%3E%E2%80%9CMatches%20custom%20settings%E2%80%9D%3C%2FSTRONG%3E%2C%20to%20identify%20the%20devices%20that%20are%20in%20success%20against%20a%20modified%20baseline%20configuration.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3E%E2%80%9CMisconfigured%E2%80%9D%3C%2FSTRONG%3E%20will%20be%20broken%20out%20into%20more%20specific%20details%20to%20help%20identify%20where%20things%20need%20your%20attention%2C%20like%20%3CSTRONG%3E%22Error%22%3C%2FSTRONG%3E%2C%20%3CSTRONG%3E%22Conflict%22%3C%2FSTRONG%3E%26nbsp%3Band%20%3CSTRONG%3E%22Pending%22%3C%2FSTRONG%3E.%3C%2FLI%3E%0A%3CLI%3E%3CSTRONG%3E%E2%80%9CNot%20applicable%E2%80%9D%3C%2FSTRONG%3E%20will%20stay%20the%20same%20to%20call%20out%20when%20a%20setting%20is%20not%20applicable%20and%20not%20applied%20to%20the%20device.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EThe%20new%20states%20will%20bring%20consistency%20to%20other%20areas%20of%20the%20console.%20This%20is%20applicable%20to%20the%20security%20baseline%20posture%20aggregate%20charts%20on%20the%20Overview%20page%20and%20the%20%E2%80%9CDevice%20Status%E2%80%9D%20list%20report%20found%20in%20the%20screenshots%20below%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Security%20Baseline%203.png%22%20style%3D%22width%3A%20900px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F219678i2094285025130AFE%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Security%20Baseline%203.png%22%20alt%3D%22Security%20Baseline%203.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20addition%20to%20this%2C%20you%20can%20select%20a%20device%20to%20view%20the%20list%20of%20endpoint%20security%20profiles%20and%20baselines%20assigned%20to%20the%20device.%20We%E2%80%99ve%20added%20additional%20information%20to%20this%20report%20to%20be%20able%20to%20see%20the%20user%20principal%20name%20to%20help%20you%20monitor%20your%20profiles%20against%20the%20device.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Security%20Baselines%204.png%22%20style%3D%22width%3A%20624px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F219795iD0A3278D73A9751B%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Security%20Baselines%204.png%22%20alt%3D%22Security%20Baselines%204.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOnce%20you%20select%20one%20of%20the%20profiles%2C%20you%20can%20look%20at%20the%20list%20of%20settings%20applied%20to%20the%20device%20and%20the%20category.%20We%E2%80%99ve%20recently%20flattened%20the%20list%20to%20make%20it%20easier%20to%20view.%20Also%2C%20the%20setting%20status%20is%20consistent%20with%20the%20updated%20posture%20states%20to%20help%20identify%20where%20errors%20and%20conflicts%20occur.%20You%20can%20use%20the%20filter%20dropdown%20to%20have%20this%20in%20your%20view.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Security%20Baseline%204.png%22%20style%3D%22width%3A%20900px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F219681iE6654F618D1F82C6%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Security%20Baseline%204.png%22%20alt%3D%22Security%20Baseline%204.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFrom%20here%2C%20you%20can%20select%20the%20setting%20to%20look%20at%20additional%20details%20and%20identify%20where%20any%20conflicts%20may%20occur%20from%20device%20configuration%20profiles%2C%20other%20baseline%20profiles%20or%20endpoint%20security%20profiles.%20The%20ones%20listed%20will%20navigate%20you%20to%20the%20profile%20resource%20to%20start%20troubleshooting%20the%20conflict.%20This%20is%20more%20consistent%20with%20the%20device%20configuration%20experience.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Security%20Baseline%205.png%22%20style%3D%22width%3A%20900px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F219684i014002C687556D3C%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Security%20Baseline%205.png%22%20alt%3D%22Security%20Baseline%205.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EOverall%2C%20these%20improvements%20will%20help%20with%20the%20troubleshooting%20flow%20and%20bring%20more%20consistency%20to%20the%20device%20configuration%20experience.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-1911251069%22%20id%3D%22toc-hId-1913125972%22%20id%3D%22toc-hId-1913125972%22%3EMore%20to%20come%20for%20baseline%20improvements%3C%2FH3%3E%0A%3CP%3EWe%20plan%20to%20continue%20the%20improvements%20to%20the%20baselines%20experience%20by%20publishing%20new%20content%2C%20like%20the%20Office%20security%20baseline%20and%20Update%20security%20baseline%20through%20Intune%20and%20keep%20up%20to%20date%20with%20the%20latest%20versions%20available%20for%20our%20existing%20baselines.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20addition%2C%20more%20reporting%20improvements%20are%20in%20the%20works%20to%20help%20you%20identify%20conflicts%2C%20errors%2C%20and%20see%20more%20data%20to%20monitor%20your%20baseline%20profiles.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CH3%20id%3D%22toc-hId-103796606%22%20id%3D%22toc-hId-105671509%22%20id%3D%22toc-hId-105671509%22%3EHow%20can%20you%20reach%20us%3F%3C%2FH3%3E%0A%3CP%3EKeep%20up%20to%20date%20via%20Intune%20docs%20and%20provide%20feedback%20below%20on%20what%20you%20want%20to%20see!%26nbsp%3BLet%20us%20know%20if%20you%20have%20any%20additional%20questions%20on%20this%20by%20replying%20back%20to%20this%20post%20or%20tagging%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2FIntuneSuppTeam%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%40IntuneSuppTeam%3C%2FA%3E%20out%20on%20Twitter.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1671328%22%20slang%3D%22en-US%22%3E%3CP%3ERead%20this%20post%20to%20learn%20more%20about%20new%20enhancements%20to%20Security%20Baselines%20in%20Microsoft%20Endpoint%20Manager!%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1671328%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EIntune%20Customer%20Success%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMEM%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esecurity%20baselines%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1698399%22%20slang%3D%22en-US%22%3ERe%3A%20New%20enhancements%20to%20Security%20Baselines%20in%20Microsoft%20Endpoint%20Manager%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1698399%22%20slang%3D%22en-US%22%3E%3CP%3EThese%20baselines%20are%20a%20great%20way%20to%20start%20with%20Endpoint.%3C%2FP%3E%3C%2FLINGO-BODY%3E

By: Laura Arrizza - Program Manager | Microsoft Endpoint Manager - Intune

 

Security baselines are one of the configuration options available in Microsoft Endpoint Manager to configure Windows 10 profiles to help you secure and protect your devices and users. Security baselines act as a template for pre-configured groups of Windows settings and values recommended by security experts. When you create a baseline profile, you are creating a template of multiple device configuration profiles.

 

You can expect some improvements and changes to this feature area which are highlighted in this post.

 

Updated baseline content

We updated the existing Windows 10 MDM and Microsoft Defender ATP security baselines to the latest available version with our 2009 September release. With the latest versions, you can see which settings have been added, removed, and/or modified so you can ensure your endpoints stay secure. Also, the baselines have been refreshed to address any conflicting setting values between the two. Now with the updated versions, there should be no out-of-the-box conflicts.

 

Security Baseline.png

 

The Windows 10 MDM security baseline represent the recommendations for configuring Windows for security conscious customers using the Microsoft security stack or a 3rd party security stack. The Microsoft Defender ATP security baseline represents the recommendations for configuring MD-ATP for customers using Microsoft’s full security stack. Going forward, the two baselines are aimed to be serviced at the same cadence to ensure the content does not contain conflicting setting values so you can update your baseline versions with confidence.

 

To update your baseline profiles to the latest version, go to Endpoint Security > Security baselines > **select a baseline** > Versions and see that the latest version is now available. To understand what has been changed between versions, use the checkboxes for two different versions and select “Compare baselines”. You are then prompted to download a CSV file that shows the differences before opting to update. For more information, see: Use security baselines to configure Windows 10 devices in Intune to learn more.

 

Security Baseline 2.png

Improvements to baseline reporting

We have made a few enhancements to the security baselines experience to improve our reporting to make it easier to monitor your devices targeted by baseline profiles.

 

Under Endpoint Security > Security Baselines > **select a baseline** we now take you straight to the list of profiles and available versions that are in your tenant. Once you select a baseline version, you can see information on the baseline posture states across your devices with updated terminology and definitions. The common labels and definitions we use for status are more granular to help describes the intent of the status:

  • "Matches baseline" will update to "Matches default settings", which better describes the intent to identify when a devices configuration matches the default (unmodified) baseline configuration.
  • “Does not match baseline” will update to “Matches custom settings”, to identify the devices that are in success against a modified baseline configuration.
  • “Misconfigured” will be broken out into more specific details to help identify where things need your attention, like "Error", "Conflict" and "Pending".
  • “Not applicable” will stay the same to call out when a setting is not applicable and not applied to the device.

The new states will bring consistency to other areas of the console. This is applicable to the security baseline posture aggregate charts on the Overview page and the “Device Status” list report found in the screenshots below:

 

Security Baseline 3.png

 

In addition to this, you can select a device to view the list of endpoint security profiles and baselines assigned to the device. We’ve added additional information to this report to be able to see the user principal name to help you monitor your profiles against the device.

 

Security Baselines 4.png

 

Once you select one of the profiles, you can look at the list of settings applied to the device and the category. We’ve recently flattened the list to make it easier to view. Also, the setting status is consistent with the updated posture states to help identify where errors and conflicts occur. You can use the filter dropdown to have this in your view.

 

Security Baseline 4.png

 

From here, you can select the setting to look at additional details and identify where any conflicts may occur from device configuration profiles, other baseline profiles or endpoint security profiles. The ones listed will navigate you to the profile resource to start troubleshooting the conflict. This is more consistent with the device configuration experience.

 

Security Baseline 5.png

 

Overall, these improvements will help with the troubleshooting flow and bring more consistency to the device configuration experience.

 

More to come for baseline improvements

We plan to continue the improvements to the baselines experience by publishing new content, like the Office security baseline and Update security baseline through Intune and keep up to date with the latest versions available for our existing baselines.

 

In addition, more reporting improvements are in the works to help you identify conflicts, errors, and see more data to monitor your baseline profiles.

 

How can you reach us?

Keep up to date via Intune docs and provide feedback below on what you want to see! Let us know if you have any additional questions on this by replying back to this post or tagging @IntuneSuppTeam out on Twitter.

2 Comments

These baselines are a great way to start with Endpoint.

Respected Contributor

I have noticed that the Intune/Endpoint Manager planning guide does not discuss Security Baselines, which appears to be an oversight. I think that using these should be the first choice for many companies and that this should be emphasized in the planning process