Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

MDM Security Baseline vs Intune Profile

Brass Contributor

Hi all,

 

I am testing currently the 2 profiles in the Security Baselines in default configuration.

As they are now checked against the endpoint there is one Error in the Per-settings status:

Type of system scan to perform

 

Problem is now - I cannot see anything configured in the MDM Security Baseline for May 2019 the setting itself in the Intune profile is configured.

 

Any idea?

 

Best regards

Miguel

5 Replies
I have the same problem.

Yep same problem here.  Both "Type of system scan to perform" and "Security Intelligence update interval (in hours)" I have conflicts for from the MDM baseline over my Defender configuration policy.

 

Can't find reference to either of these settings in the MDM policy.  Either they're not there, or like everything else, they're named something completely different.

 

Side note - Please Microsoft, name these settings with the same naming conventions you've used everywhere else.  Matching names up with new ones is not fun or a good use of our time.

@RickB60 could you solve the problem? i also have this problem and dont really understand why the av scan settings are overlapping in the both config methods. Do you know the difference or could you please explain if you can use Endpoint Security Baseline with Endpoint Policies together?

 

@m_krone @53CU1t 

 

I'm hoping the long explanation below will make some sense and help understand the workings of the various policy types we can configure with MEM. I'm thinking, this will not answer all questions but here it goes anyway...

 

Let's first start with Microsoft's recommended device configuration:

  1. Start with security baselines – Microsoft’s recommended best practice configuration
  2. Fill configuration gaps with individual settings in device configuration profiles or from the Settings catalog (preview)
  3. Fill legacy configuration needs with administrative (ADMX) template settings
    • these are the device configuration profiles/templates
    • device restriction policies etc.

Security Baselines:
A security baseline profile is a template that consists of multiple device configuration profiles and includes best practices and recommendations on settings that impact security. It's a good starting point to quickly create and deploy a secure configuration.

 

You'll need to understand the default settings in the baselines you choose to use, and if need be, modify the settings according to your needs. You are not obligated to use the security baselines as is and I'll give an example below.

 

It's very important to know that security baselines manage the same settings you might set with device configuration profiles or other types of policies like Endpoint Security policies.

Security baselines will (most of the time) set a non-default value for a setting while other policies set a value of "Not configured" by default. You will have to configure these settings to your needs. (from "not configured" to what you need)

 

For example:

  • The MDM Security Baseline configures the following Microsoft Defender for Endpoint setting:
    Scan Network Files - YES
  • The Endpoint Security - Microsoft Defender Antivirus profile configures the same setting with a slightly different name: Allow scanning network files - Not Configured

When you look at the Policy CSP, you'll see that both configure the same CSP:
Defender/AllowScanningNetworkFiles
 

By default, this should give you no problems, but if you've configure "Allow scanning network files" to "Not allowed" you will  have a conflict. The slightly different naming convention can be confusing...

 

Why you should always review your Security Baselines:
Here's an example; The Microsoft Defender for Endpoint Security Baseline configures Bitlocker. One of the settings is "Compatible TPM startup key". This is set to "Required"

If you want to silently enable and configure bitlocker during a Autopilot deployment, this setting should be set to "Blocked"

 

Quote: " For silent enable scenarios (including Autopilot) this setting cannot be successful, as user interaction is required. It is recommended that startup keys be disabled where silent enablement of BitLocker is required."

 

Like I said before. Security Baselines can (and perhaps should) be your starting point. But make sure you understand what they configure and adjust accordingly.

 

Endpoint Security Policies:
The endpoint security policies (under the hood) are the same as settings catalog (same CSP's are configured). These policies should be your second go-to.

 

Use these security-focused profiles without the overhead of device configuration profiles or security baselines. These policies/profiles focus on a specific subset of device settings to configure one aspect of device security. For example, disk encryption or firewall.

These policies will give you a more granular control over security related configuration settings.

 

To keep it simple (or complicated) here's a good quote from Microsoft: "the settings found in Endpoint security policies are a subset of the settings that are found in endpoint protection and device restriction profiles in device configuration policy, and which are also managed through various security baselines"

 

That said, It's my personal believe that over time, more and more will move away from device configuration profiles to security baselines and endpoint security profiles.

 

A little bit more about Settings catalog
You only add the settings you want to configure and nothing more. No overhead whatsoever.
These settings are generated from the Windows configuration service providers (CSPs) just like Security Baselines and Endpoint Security profiles. Although in preview, I recommend you play around with Setting catalog.

 

How to avoid conflicts
Most customers I talk to, run into trouble, because they started with device configuration profiles, and device restriction templates. Then one day, they decided to use security baselines because that's best practice. Finally they also start to configure Endpoint Security profiles, because that's just cool to do.

 

  • One way to avoid conflicts is to not use different policy types to configure the same settings but that's a no brainer.
  • The best way is to fully understand each and every setting from all different policy types but this will require some Einstein brainpower. You will want to make sure that every policy that configures the same setting, has the same value. If that is not an option, you can set the setting in your security baselines to not configured and use the Endpoint Security profile or a device configuration profile (Settings catalog/template)

 

The easiest thing to do, is to accept, you'll probably start with (hopefully not a lot of) conflicts. Now we can make things work! :lol:

 

When you start with Security Baselines and you already have other policies in place, just pilot the baselines to some of the devices you have available yourself, so you can easily troubleshoot things. There is no good or wrong here. But good planning will help out a lot!

 

Please note that although VM's are a great way to test things, They do not always give the same results as with physical devices. 

https://docs.microsoft.com/en-us/mem/intune/protect/security-baselines :
"The Microsoft Defender for Endpoint security baseline has been optimized for physical devices and is currently not recommended for use on virtual machines (VMs) or VDI endpoints. Certain baseline settings can impact remote interactive sessions on virtualized environments."

 

Example from the field:
I use Security Baselines for most of the security configuration. However, I do fine-tune the policies. For example: I'll configure the MDE Security Baseline but set all Bitlocker settings to "Not Configured" and use a Endpoint Security Profile -> Disk Encryption to (silently) configure Bitlocker.

 

The same is true for Defender for Endpoint. The security baselines MDE and MDM have overlapping settings for Microsoft Defender. Make sure they are configured the same, or go for only one of the baselines and set the other to not configured. You can also configure a Endpoint Security profile for Antivirus and set the baselines to "Not configured".

 

I have to be honest, At first I was no fan of the Baselines due to the many conflicts but as time passed I kind of started to appreciate them more and more. Perhaps I'll write a blog about this topic with more examples from the field.. :smile:

 

Hope this helps.