SOLVED

Security Baselines instead of standalone configs?

%3CLINGO-SUB%20id%3D%22lingo-sub-838750%22%20slang%3D%22en-US%22%3ESecurity%20Baselines%20instead%20of%20standalone%20configs%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-838750%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ei'm%20aksing%20myself%20why%20security%20baselines%20are%20useful%3F%20At%20this%20moment%20i%20use%20device%20configurations%20for%20ATP%2C%20Hello%2C%20Device%20restrictions%20etc..%3C%2FP%3E%3CP%3EWhy%20should%20i%20use%20security%20baselines%20instead%3F%20What%20are%20the%20advantages%20for%20me%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThank%20you%20in%20advance.%20%3A)%3C%2Fimg%3E%3C%2FP%3E%3CP%3EPatrick%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-838750%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDevice%20Configuration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Esecurity%20baseline%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-843230%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20Baselines%20instead%20of%20standalone%20configs%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-843230%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F275685%22%20target%3D%22_blank%22%3E%40PatrickF11%3C%2FA%3E%26nbsp%3BThe%20benefits%20would%20be%20that%20you%20get%20recommended%20settings%20just%20as%20we%20do%20with%20the%20GPO%20version%20of%20the%20baseline.%20Each%20time%20a%20new%20Windows%2010%20version%20is%20released%20a%20new%20version%20of%20the%20baseline%20for%20that%20version%20will%20be%20available.%20That%20will%20save%20you%20time%20and%20makes%20it%20easier%20to%20be%20more%20secure.%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERegards%2C%3CBR%20%2F%3EJ%C3%B6rgen%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1575008%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20Baselines%20instead%20of%20standalone%20configs%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1575008%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F13627%22%20target%3D%22_blank%22%3E%40J%C3%B6rgen%20Nilsson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOnly%20Problem%20is%20that%20the%20Intune%20Security%20Baseline%20for%20Windows%20is%20not%20keeping%20up%20with%20the%20Windows%20Security%20Baseline.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIn%20Aug%202020%20the%20Intune%20Windows%20Baseline%20on%20a%20new%20tenant%20with%20release%202007%2C%20the%20Intune%20Windows%2010%20Security%20Baseline%20version%20is%20May%202019.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESince%20May%202019%20the%20Windows%20Security%20Baseline%20went%20final%20in%20Nov%202019%20%5B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-security-baselines%2Fsecurity-baseline-final-for-windows-10-v1909-and-windows-server%2Fba-p%2F1023093%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-security-baselines%2Fsecurity-baseline-final-for-windows-10-v1909-and-windows-server%2Fba-p%2F1023093%3C%2FA%3E%26nbsp%3B%5D%20but%20over%20half%20a%20year%20later%20and%20the%20Intune%20Security%20Baseline%20for%20Windows%2010%20hasn't%20been%20touched.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20wouldn't%20be%20such%20a%20problem%20if%20Security%20baseline%20deployed%20settings%20which%20another%20policy%20could%20tweak%2C%20but%20that%20causes%20setting%20conflicts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20if%20you%20have%20Windows%20Security%20Baseline%20%2B%20Windows%20Defender%20ATP%20Baseline%20...%20you%20have%20to%20be%20very%20careful%20to%20in%20your%20policy%20changes%20because%20both%20baselines%20have%20some%20overlapping%20settings%20(example%20bitlocker)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1622183%22%20slang%3D%22en-US%22%3ERe%3A%20Security%20Baselines%20instead%20of%20standalone%20configs%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1622183%22%20slang%3D%22en-US%22%3EThese%20are%20some%20reasons%20why%20i%20don't%20use%20the%20baselines.%20%3A%5C%3C%2Fimg%3E%3CBR%20%2F%3EBy%20the%20way%3A%20I've%20opnened%20up%20a%20ticket%20at%20MS%20asking%20what%20is%20the%20best%20practice.%20(So%20where%20to%20configure%20some%20settings.%20Some%20of%20them%20are%20in%20the%20old-fashioned%20device%20configuration%20profiles%2C%20some%20of%20them%20are%20in%20the%20baselines%2C%20too%2C%20and%20some%20of%20them%20are%20in%20the%20device%20security%20blade%2C%20too.)%3CBR%20%2F%3EThe%20supports%20answer%20was%3A%20Device%20configuration%20profiles.%20%3AD%3C%2Fimg%3E%3C%2FLINGO-BODY%3E
Regular Contributor

Hi everyone,

 

i'm aksing myself why security baselines are useful? At this moment i use device configurations for ATP, Hello, Device restrictions etc..

Why should i use security baselines instead? What are the advantages for me?

 

Thank you in advance. :)

Patrick

3 Replies
Best Response confirmed by PatrickF11 (Regular Contributor)
Solution

@PatrickF11 The benefits would be that you get recommended settings just as we do with the GPO version of the baseline. Each time a new Windows 10 version is released a new version of the baseline for that version will be available. That will save you time and makes it easier to be more secure. 

Regards,
Jörgen

@Jörgen Nilsson 

 

Only Problem is that the Intune Security Baseline for Windows is not keeping up with the Windows Security Baseline.

 

In Aug 2020 the Intune Windows Baseline on a new tenant with release 2007, the Intune Windows 10 Security Baseline version is May 2019.

 

Since May 2019 the Windows Security Baseline went final in Nov 2019 [https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-wind... ] but over half a year later and the Intune Security Baseline for Windows 10 hasn't been touched.

 

It wouldn't be such a problem if Security baseline deployed settings which another policy could tweak, but that causes setting conflicts.

 

And if you have Windows Security Baseline + Windows Defender ATP Baseline ... you have to be very careful to in your policy changes because both baselines have some overlapping settings (example bitlocker)

 

These are some reasons why i don't use the baselines. :\
By the way: I've opnened up a ticket at MS asking what is the best practice. (So where to configure some settings. Some of them are in the old-fashioned device configuration profiles, some of them are in the baselines, too, and some of them are in the device security blade, too.)
The supports answer was: Device configuration profiles. :D