Microsoft Intune introduces MDM Security Baselines to secure the modern workplace
Published Jan 30 2019 06:02 PM 64.7K Views
Microsoft

(This post is authored in collaboration with Joey Glocke, Senior Program Manager, Microsoft 365 Security)

 

Today, enterprise IT pros and policy makers must frequently update Windows security settings to help mitigate evolving cyber-security threats. The one-size-fits-all security approach often does not work anymore because what is most concerning to one organization may be completely different from the threats faced by another organization. Administrators are faced with deploying the right security configuration from hundreds of available granular device management controls, without impacting operations or productivity. Microsoft Intune helps administrators navigate and select the right Windows 10 security features for their business by offering security baselines within the service.


A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. Industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, increases efficiency and reduces costs compared to creating them all by yourself. These settings are continually updated with feedback from Microsoft security engineering teams, product groups, partners, and real-world learning from thousands of customers. Microsoft security baselines provide intelligent recommendations that are relevant to the needs of your business, based on your IT infrastructure.

 

Attach the power of intelligent cloud

 

Microsoft has years of experience publishing security baselines as Group Policy Objects in the Security and Compliance Toolkit (SCT). Customers have trusted this toolkit for years to provide templates to configure security baselines through Group Policy. Microsoft Intune now brings the same collective knowledge and expertise to secure the modern desktop with MDM security baselines.

 

Microsoft recommended security baselines in the Intune service leverage the greatly expanded manageability of Windows 10 using Mobile Device Management (MDM). These security baselines will be managed and updated directly from the cloud – providing customers the most recent and most advanced security settings and capabilities available from Microsoft 365. The same Windows security team that creates Group Policy security baselines has collaborated with Intune engineers to offer their extensive experience for these recommendations. If you're brand new to Intune, and not sure where to start, then MDM security baselines give you an advantage. You can quickly create and deploy a secure profile to help protect your organization's resources and data. If you're currently using Group Policy, migrating to Intune for management is much easier with these baselines natively built into Intune's modern management platform.

 

Intune MDM security baselines leverage intelligent cloud insights to deliver unique benefits beyond the security and compliance toolkit:

 

  • In-depth reporting on the state of each setting in the baseline on every device in your organization
  • A first-class policy interface using familiar Intune policies to easily customize and deploy a baseline with MDM
  • A versioning experience to stay up-to-date when Microsoft updates security baseline recommendations

 

You may choose to create security policies directly from these baselines and deploy them to users or customize the recommendations to meet the needs of your enterprise. Intune will validate that devices follow these baselines, report on baseline compliance and notify administrators if any devices or users move out of compliance.

 

Overview of MDM Security Baselines

 

Here’s an overview of various aspects of MDM security baselines in the Intune console. Please refer to Microsoft Intune product documentation for pre-requisites and guidance on deploying this feature:

 

1. Login to the Microsoft Intune administration center and look for the new “Security baselines” workspace in the left navigation. If you don't see Security Baseline in the left navigation panel, you may need to search for it in all services and add to favorite:

 

1.png 

2. Review insights into the state of your Windows 10 devices against each published security baseline. Drill down to see more details and resolve the status, as appropriate

2.png

 

3. Create a security baseline profile using the familiar, customizable Intune policy interface

3.png

 

4. Easily deploy the security profiles to Azure Active Directory user groups

 4.png

 

Next steps


The public preview of MDM security baselines is now being rolled out to Microsoft Intune tenants. If you are a Microsoft Intune customer, look for the public preview to be available in your tenant shortly.


If you require any help with your deployment, Microsoft offers a variety of resources and support tools to help you succeed. Customers with eligible subscriptions to Microsoft 365, Microsoft Enterprise Mobility + Security (EMS) or Microsoft Intune can request assistance from experts in FastTrack service at no additional cost for the life of their subscription. Whether you are a customer or a partner, FastTrack provides customized guidance for onboarding and adoption, including access to Microsoft engineering expertise, best practices, tools, and resources so you can leverage existing resources to plan your deployment.

 

More info and feedback

Learn how to get started with Microsoft Intune using our detailed technical documentation. Don’t have Microsoft Intune? Start a free trial or buy a subscription today!

 

As always, we want to hear from you! If you have any suggestions, questions, or comments, please visit us on our Tech Community page.

 

Follow @MSIntune on Twitter

 

14 Comments
Copper Contributor

What will be the export options going forward, both in terms of exporting with a view to importing into another tenant. But also exporting settings to csv to review offline. The current export seems to be just a list of profiles created?

Brass Contributor

Deployment is only available to user-groups, or to dynamic device groups as well (allowing to differentiate between corporate and personal devices)?

Brass Contributor

Look for the public preview to be available in your tenant shortly.  As of right now I only see it in our lower environment while waiting for it to pop up in our Production.  Any ETA on when everyone should see it?

Copper Contributor

I don't see this baseline option within Intune. I do see one very similar at the root of Azure though- is that the same? Is that the reason we cannot export or import settings from it?

BTW, I love the name of your Intune Portal - Microsoft 365 Device Management! 

 

Microsoft

@Damien Sweeney we don't currently support importing/exporting a baseline across tenants, but it's something we're thinking about. we'll be releasing a view of the settings in the baseline momentarily. it will be part of our core docs, linked in the essentials pane on the baseline itself. 

 

@Raymond Huis in 't Veld deployment is supported for any AAD group, including static and dynamic user and device groups

 

@Miguel Sanabia you should have it in all tenants now. if it hasn't popped up in Intune yet, search for "Security baselines" in the top search bar 

 

@Deleted you'll see it in Intune shortly, and it is the same option as the root of Azure. it's just taking a bit more time for the Intune menu blade to update. see my answer to Damien above for export. 

Brass Contributor

@Joey Glocke  Checked and now shows up as available.  Thanks for the heads up as I check yesterday and it wasn't ready for us.   Thanks!

Copper Contributor

What will happen when we can set the same policy tru a normal policy, e.g. set password restrictions in the Baseline and in the Windows Hello for Business Profile. Which one wins? Or will be a guidance to NOT do such a thing?

 

BTW, I see that the Security Baseline is no longer in line with the latest publications (no password expirations) I guess this will be 'upgraded' in a next release of the baseline … how will change management happen for a company that accepted Microsoft defaults? 

Steel Contributor

Just a confirmation cause I've seen both answers.  Are the baselines meant to actually 'deploy' the configuration, or are these being used to 'audit' a compliance like checkbox on how your machines are being configured?

 

Copper Contributor

@Dustin Halvorson My understanding is that it is both. Both the deployment of the baseline and the compliance reporting


 

 
Microsoft

@Deleted The recommendation going forward is to use security baselines for all security-related settings, and device configuration profiles for everything else. It makes total sense that you'd already be using DC profiles for some of these settings. My recommendation there is to use a test device and apply your existing DC profiles + a security baseline. Our reporting across the console will show you what conflicts arise. From there, you can choose to disable the conflicting settings on either the DC profile or the security baseline. We'd recommend DC, since we're investing heavily in baselines going forward w.r.t. reporting, versioning, etc.

 

@Dustin Halvorson Ben was correct, it is both.

Copper Contributor

I have another question - what type of environment do you target the MDM Security Baseline to? Pure Modern Management or Co-management with AD joined devices (and a reliance on "technical debt" like IE?) Do you envisage multiple baselines will be published by Microsoft?

 

2. If you increase the functionality of your baseline (or reduce it by dropping IE settings for instance), what happens with already published baselines? Will they keep working as defined, or will they automatically inherit the modified capabilities?

Copper Contributor
@Joey Glocke Any news on the importing/exporting a baseline across tenants. Appreciate any response! :)
Microsoft

@Deleted We designed baselines to be targeted to either environments, but the on-prem AD env would require a hybrid setup with AAD to deploy them. We'll publish multiple baselines over time. These will be distinct from one another, each addressing a different specific scenario. For question 2, we're working on a versioning plan that will make the migration from old to new baseline policies seamless :)

 

@Bhoopathy M No immediate news, but this is a burning hot feature on our backlog :) 

Copper Contributor

@Joey Glocke Is the exporting function still in the backlog? It's a much needed feature for a lot of my customers :)


Also, I have a question regarding using multiple baselines. For instance I have both the MDM Security Baseline and the Defender ATP Baseline available, however these two overlap quite a bit. Unless I'm missing something, there are features you cannot disable in either, hence you get a conflict if you want to use both. (Which I do, as there are neat possibilities in both of them which i wish to leverage).

Version history
Last update:
‎Feb 14 2019 06:07 PM
Updated by: