(This post is authored in collaboration with Joey Glocke, Senior Program Manager, Microsoft 365 Security)
Today, enterprise IT pros and policy makers must frequently update Windows security settings to help mitigate evolving cyber-security threats. The one-size-fits-all security approach often does not work anymore because what is most concerning to one organization may be completely different from the threats faced by another organization. Administrators are faced with deploying the right security configuration from hundreds of available granular device management controls, without impacting operations or productivity. Microsoft Intune helps administrators navigate and select the right Windows 10 security features for their business by offering security baselines within the service.
A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. Industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, increases efficiency and reduces costs compared to creating them all by yourself. These settings are continually updated with feedback from Microsoft security engineering teams, product groups, partners, and real-world learning from thousands of customers. Microsoft security baselines provide intelligent recommendations that are relevant to the needs of your business, based on your IT infrastructure.
Attach the power of intelligent cloud
Microsoft has years of experience publishing security baselines as Group Policy Objects in the Security and Compliance Toolkit (SCT). Customers have trusted this toolkit for years to provide templates to configure security baselines through Group Policy. Microsoft Intune now brings the same collective knowledge and expertise to secure the modern desktop with MDM security baselines.
Microsoft recommended security baselines in the Intune service leverage the greatly expanded manageability of Windows 10 using Mobile Device Management (MDM). These security baselines will be managed and updated directly from the cloud – providing customers the most recent and most advanced security settings and capabilities available from Microsoft 365. The same Windows security team that creates Group Policy security baselines has collaborated with Intune engineers to offer their extensive experience for these recommendations. If you're brand new to Intune, and not sure where to start, then MDM security baselines give you an advantage. You can quickly create and deploy a secure profile to help protect your organization's resources and data. If you're currently using Group Policy, migrating to Intune for management is much easier with these baselines natively built into Intune's modern management platform.
Intune MDM security baselines leverage intelligent cloud insights to deliver unique benefits beyond the security and compliance toolkit:
In-depth reporting on the state of each setting in the baseline on every device in your organization
A first-class policy interface using familiar Intune policies to easily customize and deploy a baseline with MDM
A versioning experience to stay up-to-date when Microsoft updates security baseline recommendations
You may choose to create security policies directly from these baselines and deploy them to users or customize the recommendations to meet the needs of your enterprise. Intune will validate that devices follow these baselines, report on baseline compliance and notify administrators if any devices or users move out of compliance.
Overview of MDM Security Baselines
Here’s an overview of various aspects of MDM security baselines in the Intune console. Please refer to Microsoft Intune product documentation for pre-requisites and guidance on deploying this feature:
1. Login to the Microsoft Intune administration center and look for the new “Security baselines” workspace in the left navigation. If you don't see Security Baseline in the left navigation panel, you may need to search for it in all services and add to favorite:
2. Review insights into the state of your Windows 10 devices against each published security baseline. Drill down to see more details and resolve the status, as appropriate
3. Create a security baseline profile using the familiar, customizable Intune policy interface
4. Easily deploy the security profiles to Azure Active Directory user groups
The public preview of MDM security baselines is now being rolled out to Microsoft Intune tenants. If you are a Microsoft Intune customer, look for the public preview to be available in your tenant shortly.
If you require any help with your deployment, Microsoft offers a variety of resources and support tools to help you succeed. Customers with eligible subscriptions to Microsoft 365, Microsoft Enterprise Mobility + Security (EMS) or Microsoft Intune can request assistance from experts in FastTrack service at no additional cost for the life of their subscription. Whether you are a customer or a partner, FastTrack provides customized guidance for onboarding and adoption, including access to Microsoft engineering expertise, best practices, tools, and resources so you can leverage existing resources to plan your deployment.