Apr 14 2020 09:49 AM
Apologies if this has been asked here before, I'm starting to setup our endpoint security workloads as part of M365 and have found multiple points of crossover in the Intune console where precedence or differentiation isn't clear. For example, You seem to be able to describe Bitlocker settings in multiple ways:
1) Create a standard Windows Encryption configuration profile under Devices
2) Create a Device Compliance policy under Devices > Compliance Policies
3) Create a Disk Encryption policy under Endpoint Security>Manage
4) Create a Windows 10 Security Baseline under Endpoint Security>Security Baselines
Am I right in thinking that 1) and 2) are the original workflows for doing 3) and 4)? So that any work I start doing now should be done in the Endpoint Security node?
Does a compliance policy or security baseline actually affect the settings on a device or is it just giving you the non-compliant/compliant flag and it's the Disk Encryption and Configuration Profiles that actually change the settings on the device?
Finally has anyone else noticed that when you edit a Disk Encryption policy a bunch of the settings are missing and can't be seen or changed??
Thanks in advance
Apr 14 2020 12:25 PM
Apr 17 2020 05:40 AM
@neilcarden Thanks for the reply, I think I'm going to stick with configuration profiles until the Endpoint Management options have been matured. For example, there's no option to set firewall rules in the current EP Firewall policy.
It also looks like the Security baseline might be affecting some settings as I applied a whole bunch of stuff as part of a rebuild and somehow got stuck with installing store apps only!
Back to applying policies one at a time until I can work out what I broke :(
Apr 17 2020 08:14 AM
Apr 20 2020 02:23 AM
So I'm going to try and keep posting my progress with this. So far I've realised I'm better having multiple configuration profiles rather than one big baseline one.
I'm creating one for each Win10 group of settings. For example I currently have one for Windows10-EndpointProtection-MicrosoftDefenderFirewall and a separate one for Windows10-EndpointProtection-MicrosoftDefenderSmartScreen. I might end up merging some of these in the end but right now I'm applying each of these to my pilot devices and confirming behaviour before moving on.
I'm avoiding Security Baseline completely at the moment, although I'd really like to use them there are just too many settings in one place with no way to confirm what's going to change. I'd really like to see a monitor mode for security baseline so I can understand what is going to change if I apply it.
Apr 20 2020 03:17 AM
@SimonR That's exactly how I have been doing it although I did make a few 'big' ones and wish I hadnt, as its so easy to forget what you have enabled or configured on some of them. There are some good scripts for exporting them as well - so you can then re-import or move to a dev environment.